Telecommunications (Security) Bill Debate
Full Debate: Read Full DebateLord Parkinson of Whitley Bay
Main Page: Lord Parkinson of Whitley Bay (Conservative - Life peer)Department Debates - View all Lord Parkinson of Whitley Bay's debates with the Department for Digital, Culture, Media & Sport
(3 years, 4 months ago)
Grand CommitteeOnce again, this is a short but important debate, and one of a continuing series. In response to the noble and gallant Lord, Lord Stirrup, we had a short discussion that, to some extent, was crying over spilt milk about why industrial capacity in telecommunications in the United Kingdom is where it is. I think the noble Earl, Lord Erroll, largely agrees with me that it is to do with the purchasing decisions made by near-monopolistic private sector companies based on price. If that is not a lesson for the Government to take forward, we are all doomed anyway.
To turn to the detail of these two amendments, as both the noble Baroness, Lady Merron, and the noble and gallant Lord, Lord Stirrup, have set out, they are about people. Without overrepeating it, I come to the point I was talking about earlier, which is that BEIS is going through a similar process. It is setting up a unit that is supposed to scan the entire industrial landscape for supposed security problems and alert the Minister to decisions that should be made about the future of those companies. These people will have many of the same skills and face many of the same issues, going forward.
First, does the Minister think there is a sufficient pool of people available to cover both these units? Is it sensible to have two units operating in parallel to, and probably in isolation from, each other, with the BEIS unit setting up a telecoms capability, which DCMS will also have? Perhaps the Minister can tell us what conversations are going on between DCMS, Ofcom and BEIS to avoid that duplication. We have already heard that there are too few people so, frankly, it does not make much sense to have two departments competing for the same people.
More broadly, the noble Baroness, Lady Merron, is completely correct that there is a huge issue with the availability of people. Unless the Government pick up major programmes to train and retrain people and look at skills that are completely necessary to move forward, we will be left high and dry without the skills we need to create the sorts of industries that the noble and gallant Lord, Lord Stirrup, suggested we need. That will take time, so perhaps the Minister can say what the plan is. What is the process and what discussions are going on with trainers, universities and employers to deliver the skill set we need?
Of course, we would want to review all this annually, which is why these amendments are here, so the Government necessarily come to Parliament to explain how they are getting on and what they are doing. I am sure the Government do not want us to be suspicious of what they are doing, and the best way to avoid that suspicion is to be open and transparent, rather than try to operate in a black box.
My Lords, these amendments, both tabled by the noble Baroness, Lady Merron, highlight the two important issues that our short debate covered—the role of Ofcom in relation to the Bill; and skills and training, and their effect on telecoms security. I am pleased to have the opportunity to outline some of the work that has already been done in these areas, which I hope explains why we consider these amendments not to be needed.
Amendment 26 would require the Government to complete a review of, and publish a report on, the impact of levels of skills and training on the security of the telecoms network and supply chain. It would require the Government to publish the report within six months of Royal Assent.
The Government certainly agree that it is crucial that public telecoms providers and organisations such as Ofcom have access to people with the skills that they need to keep our networks safe. DCMS published research this year as part of its annual survey, Cyber Security Skills in the UK Labour Market, which found that 50% of UK businesses have a basic technical skills gap. It also found that they do not have confidence in their ability to carry out basic cybersecurity functions and do not outsource these skills.
That is why the Government have a range of programmes already in place to support the growth of cybersecurity skills. Over the past five years, work funded by DCMS has supported over 160,000 young people to forge a career in the cyber sphere. The department has also funded a range of schemes to help adults or career changers to acquire new skills, most recently through the Cyber Launchpad initiative and projects sponsored through the fast track digital workforce fund.
Clearly, there is still much more work to be done to close the cyber skills gap. However, we are making progress. When compared with the 2018 survey, Cyber Security Skills in the UK Labour Market 2021 found that organisations were less likely to report a basic cyber skills gap in areas such as firewall configuration, restricting administrator rights and patching.
Specifically on skills in the telecoms sector, we know that telecoms providers need to have access to people with the right skills to ensure that their networks and services are secure, as the noble and gallant Lord, Lord Stirrup, rightly said. That is why we are creating a pipeline of these skills for the future, with telecoms apprenticeships currently available across the sector, and over 4,500 people starting this year alone.
The creation of the UK telecoms lab, as announced by my right honourable friend the Secretary of State in the other place last November, will facilitate knowledge sharing and promote skills development in telecoms security. The lab will collaborate with DCMS, the National Cyber Security Centre, the newly established UK Cyber Security Council and industry. It will develop and deliver training packages and support the establishment of professional bodies and communities. I hope that these initiatives demonstrate how seriously the Government take the task of supporting telecoms skills, and cyber skills in particular, and why we feel that the review proposed in the amendment is not needed.
I will speak more broadly about our skills agenda. The Department for Education has targeted specific investment in key areas of learning, such as science, technology, engineering and mathematics—STEM—and technical and digital subjects, which could support careers in telecoms. That includes: £2.5 billion of investment in the national skills fund to support adults to retrain and gain the skills they need for the future; nearly £2.5 billion made available for high-quality industry-designed apprenticeships; £500 million a year towards T-levels; up to £290 million to establish institutes of technology across the country, which will be the pinnacle of technical training; and a new £18 million growth fund to support further and higher education providers to expand high-quality higher technical education.
The noble Baroness, Lady Merron, asked about the impact of skills on the removal of Huawei equipment. We have no plans or intention to delay the 2027 target for the removal of Huawei equipment from 5G networks. Indeed, BT, for example, has already shared in the media that it is making good progress on removing Huawei from 5G networks, starting in Hull. We believe that we are on track.
Amendment 23 would require Ofcom to publish an additional statement as part of its annual report, under paragraph 12 of the Schedule to the Office of Communications Act 2002. This statement would contain information about the adequacy of Ofcom’s resourcing, and telecoms providers’ compliance with their security duties. It would also contain Ofcom’s assessment of any future or emerging risks to telecommunications networks, identified by interrogating telecoms providers’ asset registries.
I reassure the Committee that this amendment is also not needed. The Bill already contains a range of reporting mechanisms that will ensure that Ofcom’s role can be properly scrutinised. I will address three of these mechanisms in particular.
First, Ofcom will need regularly to report to the Secretary of State under new Section 105Z, providing information to assist him with the formulation of policy on telecommunications security. New subsection (4)(a) makes it clear that this report must include information on providers’ compliance with the duties imposed on them by the Bill.
Secondly, Ofcom will need to report on telecoms security in its annual infrastructure report. Clause 11 specifies that this should include information on the extent to which providers are complying with their security duties under new Sections 105A to 105D. Thirdly, by virtue of Clause 14, the Secretary of State will need regularly to report to Parliament on the effectiveness and impact of the new telecoms security framework.
The amendment would address three issues. I will take each in turn. The first concerns Ofcom’s resources, on which the noble Baroness, Lady Merron, began. As my noble friend the Minister mentioned at Second Reading, Ofcom’s security budget for this financial year has been increased by £4.6 million. This funding will allow Ofcom more than to double its headcount of people working on telecoms security, ensuring it has the necessary capacity to deliver its new responsibilities under the Bill. The noble Baroness asked specifically about staffing. Ofcom will work with a recruitment partner to secure the specific cyber skills needed to implement this work. This will include seconding in technical expertise to develop its capability further.
As we discussed earlier in the Committee, Ofcom will also work closely with the NCSC, which will share its expertise to support Ofcom’s implementation of the new regime. The noble Baroness mentioned the relationship between Ofcom and the National Cyber Security Centre. As she noted, the two organisations are in the process of developing a memorandum of understanding and have published a statement summarising how they intend to work together. The three key principles set out in that statement are, first, that the NCSC will provide expert technical cybersecurity advice to Ofcom to support implementation of the new telecoms security framework; secondly, that Ofcom and the NCSC will exchange information where necessary and permitted by law; and, thirdly, that the NCSC will continue to provide incident management support during serious cybersecurity incidents to telecoms operators and to Ofcom as necessary. That statement can be found on Ofcom’s website.
The second area of the amendment is a requirement for Ofcom’s annual report to include information on providers’ compliance with their duties under new Sections 105A to 105D. This reporting would duplicate provisions elsewhere in the Bill. Ofcom is already required to report publicly on providers’ compliance with those duties in Clause 11.
The final point in the amendment is about publishing information on emerging and future security risks. This has also been accounted for in the Bill. New Section 105Z(4)(f) already requires that Ofcom report to the Secretary of State any emerging risks it becomes aware of in its annual report on security. The noble Baroness asked about informing the public. It would be at the discretion of the Secretary of State whether to publish this information.
I can assure the Committee that Ofcom takes a forward-looking approach to regulation to ensure that it is robust in the face of market and technological developments. For example, its recent Technology Futures report looked at innovative technologies that will shape the communications industry, with input from the world’s leading technologists.
I hope that I have provided assurance that adequate and detailed reporting requirements for Ofcom are already outlined in the Bill. As I have set out, it already includes provision for reporting on Ofcom’s work, so additional requirements about skills and training are not necessary. I hope that the noble Baroness will therefore be content not to press her amendments.
My Lords, I thank the noble Lords, Lord Clement-Jones and Lord Fox, for tabling this amendment. I do not have too much to add to this brief and interesting debate, but I take the opportunity to thank the Constitution Committee for its report on the Bill.
At Second Reading the Minister said:
“Oversight of the Investigatory Powers Act regime by the Investigatory Powers Commissioner is considered appropriate because of the potential intrusion into the private lives of individuals as a result of the use of covert powers. The national security powers in this Bill are very different from those in the Investigatory Powers Act”.—[Official Report, 29/6/21; col. 747.]
However, she did not say why it would be wrong for the commissioner’s remit to change. This is the one point I put to the Minister, and it would be helpful to have a response.
My Lords, I thank the noble Lords, Lord Fox and Lord Clement-Jones, for tabling this amendment. As the noble Lord, Lord Fox, says, the noble Lord, Lord Clement-Jones, is a victim of the speedy progress we have made in this Committee.
Like them, I recognise the importance of proper oversight and scrutiny in the use of the Bill’s powers. The amendment they tabled aims to give the Investigatory Powers Commissioner oversight of the Secretary of State’s power to issue designated vendor directions. The Bill already contains effective mechanisms for oversight of the Secretary of State’s use of those powers to give a designated vendor direction or designation notice. It requires the Secretary of State to lay copies of designation notices and designated vendor directions before Parliament. That will provide Parliament with the opportunity to scrutinise their use.
As the Committee has heard, on very rare occasions the Secretary of State may choose not to lay a designation notice or direction before Parliament because to do so would be contrary to the interests of national security. Where this is the case, the Digital, Culture, Media and Sport Select Committee will be able to view such directions and notices, so there will be oversight there.
On the legal point that the noble Lord, Lord Fox, raised, designated vendor directions and designation notices are subject to ordinary judicial review principles. The Secretary of State will issue designation notices and designated vendor directions only where they are necessary in the interests of national security and the requirements in the directions are proportionate.
The Investigatory Powers Act 2016 provides a frame- work for use by the security and intelligence agencies, law enforcement agencies and other public authorities to obtain communications and communications data. The role of the Investigatory Powers Commissioner is independently to oversee the use of these powers, ensuring that they are used in accordance with the law and in the public interest. The regime set out in the Investigatory Powers Act is not directly comparable with the new powers and framework set out by this Bill, as the noble Baroness, Lady Merron, noted. The reason for that is that oversight of activity by the Investigatory Powers Commissioner, as authorised by the Investigatory Powers Act, is considered appropriate because these powers often involve balancing important questions regarding the right to privacy.
The national security powers in this Bill are very different from those in the Investigatory Powers Act. They focus on protecting public telecommunications networks and services from the threats posed by high-risk vendors. That is different from questions about individual citizens, their communications and their communications data. That is why we respectfully disagree with the suggestion by the Constitution Committee of your Lordships’ House and feel that it would not be appropriate for the Investigatory Powers Commissioner to have an oversight role in respect of this Bill.
Briefly, that is why the Government disagree with this amendment and hope that the noble Lords, Lord Fox, will be content to withdraw it.