All 2 Lord Stirrup contributions to the Telecommunications (Security) Act 2021

Read Bill Ministerial Extracts

Tue 29th Jun 2021
Thu 15th Jul 2021

Telecommunications (Security) Bill

Lord Stirrup Excerpts
Lord Stirrup Portrait Lord Stirrup (CB)
- Hansard - -

My Lords, I welcome this Bill. It is not only necessary, it is also overdue, but it is just one step on a path along which we have much further to go. By itself the Bill will have only a limited impact. If we are to realise its benefits, we need to think about the wider questions it leaves unanswered. Addressing these questions is crucial to our future safety and prosperity.

Throughout history, technological advances have brought with them exciting new opportunities, but they have also introduced serious vulnerabilities. Meanwhile, as our society has grown more complex, interconnected and interdependent, so its ability to weather shocks has grown more fragile—to the point now that serious technological disruptions could have catastrophic consequences. This should not be taken as an argument against embracing technology and the benefits it confers. It should, though, make us think very seriously about the new vulnerabilities we create and how we might mitigate the associated risks.

The Bill goes some way towards meeting that responsibility, but it does not provide the whole answer. As the title of the Bill tells us, the issue we confront is one of security, but we have to ask ourselves what exactly we mean by that term. In my view, we do not mean invulnerability. We should certainly seek to defend critical areas such as our telecommunications from attack, but a defender always has certain disadvantages. The choice of when, where and how to attack lies with the assailant and the defender is, at least at first, on the back foot. This problem is particularly acute when the space or activities to be defended are widely spread, as with our telecommunications network. We cannot therefore assume that an attack will fail, no matter how well we prepare. Quite the opposite: we have to assume at least a degree of success. So, the security of our national telecommunications infrastructure becomes a question less of how to prevent attacks entirely and more of how well we can absorb and recover from them.

In its first report of May last year, the National Infrastructure Commission acknowledged as much and recommended an architecture which can “anticipate” challenges, “resist, absorb” and “recover” from attacks and adapt accordingly. It calls on the Government to set “resilience standards”, appoint regulators to “oversee regular stress testing” and require that:

“Infrastructure operators produce long term resilience strategies”.


Can the Minister tell the House what progress has been made in implementing these recommendations?

All of this seems to throw up two different categories of question: what policies and actions would best protect our infrastructure from attack and achieve the necessary resilience, and how do we provide appropriately rapid assessments and directions to counter the effects of such attacks?

On the first point, at which this Bill is aimed, the Huawei experience would seem to suggest restricting the provision of parts of our infrastructure to trusted suppliers and operators, but who are they and how are they to be engaged? They cannot be drawn solely from the ranks of “British” companies—whatever that means in today’s globalised business environment—since we do not have the mass, the spread or the technologies within our economy to meet all our own needs. It is certainly possible to identify less risky 5G suppliers than Huawei, but not ones that are risk free.

Even where we do have a national capability to provide and operate parts of our infrastructure, problems remain. Are the Government to identify such national champions in selected areas of business? This may be necessary in some very restricted areas, but such dirigisme has a poor track record in the UK for two principal reasons. First, the Government are not very good at identifying winners. Secondly, in order to remain in business, such champions need a regular drumbeat of UK orders, which, in turn, stifles competition and efficiency. There are many salutary examples of this in the history of defence procurement.

A more productive approach might be to decrease reliance on one or even a few suppliers and thus build a degree of redundancy into the most critical parts of our infrastructure. This would not be the cheapest solution, at least in the short term, but the level of insurance that it provides might be well worth paying for. The Government need to develop an approach that balances cost, risks and resilience—that constantly monitors and rebalances this equation in the context of our complex and dynamic world.

This requirement, alongside the observation that some of our judgments will inevitably prove to be wrong, and in the expectation that some attacks will succeed, at least in part, brings me to my final point. Things move quickly in the world of technology, and they will move even faster during a determined attack on our telecommunications infrastructure. If we are to respond successfully, if we are to absorb the first blow, recover from it and reshape ourselves for the future, we will need two things: agility and adaptability. Agility in this sense is our ability to respond quickly to those things we did not or could not foresee—to change our systems, plans and, indeed, our thinking on the fly to check and outmanoeuvre our opponents. Our resilience and ability to recover will depend on this. Adaptability, by contrast, is about our ability to change our longer-term posture in the light of emerging threats and opportunities and to learn from both failure and success. Agility keeps us in the fight and helps us master immediate challenges. Adaptability maintains our readiness in a changing world.

Provision of these crucial attributes cannot be left to the individual service providers, but neither can they be delivered by the Government or by a regulatory body such as Ofcom. Those organisations can and should formulate policies, allocate resources and check compliance, but we also need a much more flexible arrangement to provide effective command and control of both our detailed preparations for, and our response to, attacks. Perhaps there is a role here for an expanded National Cyber Security Centre. So, while I welcome and support this necessary Bill, I urge the Government to view it as just one stage of a much longer journey. It is a good plan, but like all plans it will not survive first contact with the enemy. If we are safely to reap the benefits of new technologies, we need ways not just of regulating them but of dealing swiftly and competently with the dangers presented by their malign exploitation. This Bill goes only so far; we need to go much further.

Telecommunications (Security) Bill

Lord Stirrup Excerpts
Earl of Erroll Portrait The Earl of Erroll (CB)
- Hansard - - - Excerpts

My Lords, I do not want to bang on for a long time because, in a way, this falls in with things such as the technical advisory committee. It is all part and parcel of the same thing, and we have to keep our eyes open and start forward scanning and see what else is out there.

Ofcom is not in fact a department; I seem to remember that it was set up by Europe through regulations and that originally, it reported via Parliament to the European regulators. I am not entirely sure what Ofcom’s chain of command is; I must do some research into it. Having this buried inside such a body without proper parliamentary scrutiny is unwise, so it is only sensible to embed the principle of having proper advisory committees. This is an obvious no-brainer: we need people with these abilities and skills to be advising on this stuff, and I cannot understand why there would be any objection to it.

Amendment 25 covers the very good point about long-term strategy. As was pointed out on Tuesday, our relationship with the Five Eyes could easily change. There have been efforts from time to time to drive a wedge between us, and we need to start looking at that. One cannot assume that the status quo regarding who is an ally or friend will continue for ever. The fact that we are in different parts of the globe and therefore perhaps in different trading blocs could cause undue pressure, so we must have this horizon-scanning, long-term attitude.

The speech of the noble Lord, Lord Coaker, reminded me of the Tallinn Manual and the question of when cyberwarfare escalates to actual warfare because your entire infrastructure and systems have been taken down. It is a very interesting document. I skimmed through it a long time ago, but it was very eye-opening and before we just leap in, people should take a look at it.

That is really all I have to say. This is so obvious, and I just hope that the Government are going to do something about it.

Lord Stirrup Portrait Lord Stirrup (CB)
- Hansard - -

My Lords, in speaking to Amendments 18 and 25, to which I have added my name, I have in mind the very purpose of the Bill itself, which is, I take it, to ensure the security and resilience of our telecommunications capability here in the UK. The Bill as drafted places certain duties on the providers of those capabilities and gives powers to the Secretary of State to make regulations and issue codes of practice. This is all well and good, but these somewhat mechanistic, albeit welcome, measures will not by themselves result in the necessary degree of security and resilience.

As I said at Second Reading, things move quickly in the world of technology, and they will move even faster during a determined attack on our telecommunications infrastructure. If we are to respond successfully, we will need to be both agile and adaptable. The measures in the Bill will, by themselves, not ensure this.

One of the reasons why we are even considering this Bill is concerns over the position of Huawei in our telecommunications architecture, the clear channel that runs through that company to the Chinese Communist Party, and the ensuing vulnerability of our system. None of this comes as a great surprise, but we have allowed ourselves to get into a position where we are now having to play catch-up. This is largely because we spent the first half of the last decade thinking almost exclusively of the economic opportunities offered by China and very little about the associated security risks; in other words, our decision-making process was unbalanced and distorted. Without proper safeguards, we could easily find ourselves in a similar situation with regard to some future threat.

What sorts of safeguards might help prevent such an occurrence? There is no single answer to this question but at the very least we need a process that provides an appropriate degree of horizon scanning and that, importantly, draws in expertise from across technology, business and security organisations and, indeed, from across different government departments, to give us the best chance of coming to a balanced view.

That is what Amendment 18 seeks to do. It will not cure all ills but it will provide us with a mechanism to drive adaptability, not just in our architecture but in our thinking, something that is traditionally hard to achieve. Of course, the Minister may say that the Bill is not the place for setting out this kind of thing. My response to that would be: if not here, then where? The responsibilities outlined in the amendment must be met if we are to achieve the Bill’s laudable purpose.

Amendment 25 is in many ways a follow-on from Amendment 18. It calls for the deliberations of a horizon-scanning body and the ensuing policies and actions to be presented to Parliament in the form of a comprehensive strategy. Most importantly, it seeks to ensure that such a strategy is coherent with other elements of government policy, as set out in various documents, such as the integrated review, and in other legislation, such as the National Security and Investment Act. It also seeks to encourage international co-operation in this regard. I believe this is essential, since we rely so heavily on collective security for our national safety. The noble Lord, Lord Coaker, has already highlighted the importance that NATO now attaches to the whole area of communications and cyberspace.

Taken together, these two amendments put in place measures that would improve our agility and adaptability and thus strengthen the Bill in terms of its ultimate purpose. If the Government are going to set their face against such measures in this legislation, I ask the Minister to explain how the essential functions they prescribe are to be carried out and how Parliament can be confident of their success.

Baroness Stroud Portrait Baroness Stroud (Con)
- Hansard - - - Excerpts

My Lords, it is a privilege to speak after the noble and gallant Lord, Lord Stirrup. I support Amendment 18, in the names of the noble Lord, Lord Coaker, and the noble and gallant Lord, Lord Stirrup, and Amendment 25, which is also in the name of the noble Lord, Lord Alton.

These amendments propose a pathway forward that would ensure we are well equipped to handle the challenges that will inevitably come our way in the next decade. Amendment 18 places a requirement on the Secretary of State to create a body designed to analyse and consider existing and emergent threats in the telecommunications sector, incorporating representatives from the major bodies of our national security matrix. This body would then be required to lay an annual report before all Members of Parliament, ensuring adequate parliamentary scrutiny and oversight. Indeed, if not for Back-Bench agitation, we might still be aimlessly integrating Huawei into our critical infrastructure, lagging behind our Five Eyes allies in recognising the security threat that such high-risk vendors pose.

Amendment 25, building on the horizon scanning outlined in Amendment 18, requires the Secretary of State to publish a long-term telecommunications strategy in partnership with the aims and outcomes of our closest Five Eyes and NATO allies. In alignment with the integrated review of security, defence, development and foreign policy, this strategy would ensure that long-termism is built into our thinking across both our economic and strategic aims in the coming decade.

We have one of the most sophisticated and advanced intelligence-gathering apparatuses in the world. We are a significant asset to our Five Eyes and NATO allies and a crucial linchpin in ensuring the international order. Yet we have been slow to respond to the rapidly changing digital landscape that we find ourselves in.

An obvious example of this is the much-discussed high-risk vendor, Huawei. It is extraordinary to think that all the way back in 2013 a report from the Intelligence and Security Committee concluded that Huawei posed a risk to national security and that private providers were responsible for ensuring the security of the UK telecoms network. Yet now, according to Ofcom, Huawei accounts for about 44% of the equipment used in providing superfast full-fibre connections directly to homes, offices and other businesses in the UK.

In a Statement to Parliament last year, the Foreign Secretary made the welcome announcement that

“high-risk vendors should be excluded from all safety- related and safety-critical networks in critical national infrastructure”—[Official Report, Commons, 28/1/20; cols. 710-11.]

and yet, due to how embedded this vendor has become in our critical infrastructure and the lack of competition, Huawei, as we have heard, is not set to be removed as a provider until 2027. It should never have reached this point. A horizon-scanning body and deeper parliamentary oversight would ensure that we are not left sleeping at the wheel again. How was it that our Five Eyes allies were significantly more alert to this risk than we were?

Furthermore, without cross-body co-ordination, the rapid advances in technology we are set to witness over the coming years will make it even more difficult to adapt to threats as they manifest themselves. GCHQ Director Jeremy Fleming suggests that the UK needs to prioritise the advances in quantum computing, as well as working with allies to build better cyber defences and shape international standards and laws in cyberspace. With quantum computing becoming more mainstream, there is a risk that a sudden increase in processing power could render existing encryption methods useless.

These are just some of the challenges we face. The future of our security and sovereignty will depend on the steps we take in this Bill. According to MI5, at least 20 foreign intelligence services are actively operating against UK interests. We have a remarkable security and intelligence community but, as we enter this new era, we must accept that our ability to adapt to emerging challenges will be the defining feature that drives us forward and keeps us ahead of other nations that would challenge our national interests.

We have seen how easy it is for a digital attack to break down our critical systems. Just last month, a ransomware attack in the US took down the entire Colonial Pipeline infrastructure, which transmits nearly half the east coast’s fuel supplies. Analysts have suggested that hackers could have been inside Colonial’s IT network for weeks or even months before launching their ransomware attack.

This issue extends into the digital space. A 2018 report commissioned by the US Senate intelligence committee, The Tactics & Tropes of the Internet Research Agency—a Russian propaganda unit—revealed that there was:

“A sweeping and sustained social influence operation consisting of various coordinated disinformation tactics aimed directly at US citizens, designed to exert political influence and exacerbate social divisions in US culture”.


I posit that we may not even be aware of the scope of the disinformation and destabilisation occurring online that is challenging our sovereignty and internal security.

I support these amendments in light of the fact that it has taken considerable Back-Bench activity to alert us to the security issues posed by high-risk vendors; that we are still not thinking clearly on China; and that we need systems and structures to ensure that long-termism is built into our thinking across both our economic and strategic aims in the coming decade.

--- Later in debate ---
Baroness Merron Portrait Baroness Merron (Lab)
- Hansard - - - Excerpts

My Lords, I will also speak to Amendment 26, which stands in my name. As I recall raising at Second Reading, the whole point about this legislation is not just its intent but whether it can be delivered in practice. Can it do the job that it intends to do? These amendments are intended to ensure that we know we have the resources, whether in people, funding, infrastructure or whatever, to deliver the protections that the Bill is intended to offer. There are considerable questions about that.

I will focus first on the new responsibilities, remit and powers that are being given to Ofcom. As we know, there has been a vast expansion of Ofcom’s remit over the past 10 years, so it is most important that it is appropriately resourced to carry out its duties and to be very forward-looking. As my noble friend Lord Coaker said earlier, for us, the whole issue of looking forward is a particular concern in the Bill. That has been echoed by many noble Lords this afternoon. I note that reassurance is often given by the noble Baroness, Lady Barran, as the Minister and I am sure that the noble Lord, Lord Parkinson, will also seek to reassure me. But I am sure he will have picked up the feeling in the Room today that we need to go rather further than words of reassurance.

What we know about Ofcom is that experience in national security measures is not its natural and current territory, so the expansion of these duties will absolutely require people with the required level of security clearance and experience. I recall the comments of Emily Taylor of Oxford Information Labs during the debate in the Public Bill Committee in the other place. She has considerable expertise in cyber intelligence and she said at that time that Ofcom

“will have to acquire a very specific set of skills and capabilities, and that will require substantial investment and learning as an organisation”.—[Official Report, Commons, Telecommunications (Security) Bill Committee, 19/1/21; col. 72.]

I also note that a memorandum was published recently by Ofcom and the National Cyber Security Centre about how they will work together as part of the new regulatory regime. On the face of it, I thought that might provide some of the reassurance that I am sure the Minister will wish to give to noble Lords. However, I observe that while the National Cyber Security Centre will indeed be able to provide advice on national security matters, the question is whether Ofcom has the resource and the greater expertise to understand that advice. It is one thing to receive advice but another to be able to work with it. I am sure noble Lords know their own limitations. I certainly know mine when it comes to advice and expertise. For me, that memorandum did not show understanding of the limitations that there are.

Amendment 23 would require Ofcom to report annually on the adequacy of measures taken by network providers to comply with changes introduced in the Bill, empowering the Government to track the effectiveness of the legislation. That seems to be good legislation: to put it in place, to make sure it does the job it ought to do, to resource it and then to track its effectiveness.

Amendment 23 would also ensure that Ofcom will have the human and informational resources to provide an assessment of security risks based on its interrogation of network providers’ asset registers. This needs to include things such as a reference to the adequacy of Ofcom’s budget, funding and staffing levels and any potential skill shortages that might mean that it cannot do the job it is intended to do.

It is interesting to look at the Government’s own impact assessment, which states that the costs of monitoring compliance with the telecoms security requirements could be up to £49.4 million by 2029. Allied to that, Ofcom’s current budget for telecoms security for this financial year has been increased by £4.6 million; that is intended to reflect its enhanced security role under the Bill. The first obvious question to the Minister is whether this funding will be sufficient to meet the demands and to engage those with the right security skills. As a supplementary question to that, what targets does Ofcom have to seek the numbers of new staff it needs?

On staff shortages and funding shortfalls, how does the Minister consider that the Government will be aware of these problems without some kind of annual report? Furthermore, where do the public fit into this? How will they know that everything is in hand without such a reporting requirement being met? In my view, if Ofcom is to do more on security, the Government absolutely have to make sure that it is secure and able in its new role.

We spoke earlier about the absolutely crucial aspects of future proofing and horizon scanning. It seems that Ofcom also needs to be able to assess future risks to the security of UK telecoms. We know that new types of threat have emerged over recent years; for example, attacks on healthcare systems. We are also sensitive to potential future risks; for example, the dependence of cloud computing infrastructure on Amazon Web Services, the dominant vendor in this market. Clearly, dangers could arise if AWS was bought by a hostile foreign state or hacked by a hostile operator. In all these ways, we need to ensure that Ofcom is equipped not just for the present but for the future.

Amendment 26 looks at the very important matter of skills in the wider sector. We know from the Institute of Engineering and Technology that the UK economy is suffering a loss of £1.5 billion per year due to STEM skills shortages, and the Chartered Institute of Personnel and Development has found that two-thirds of employers who have vacancies report that some are proving hard to fill, with engineering being one of the most prevalent.

Amendment 26 seeks to require the Government to publish a review of the implications of skills shortages and training support for the security of the tele- communications network and its supply chain. Again, this amendment looks forward to ensure that we can protect our security capability.

I have a few specific questions for the Minister. I would be interested to know whether he is concerned that the 2027 target for Huawei removal might be delayed due to skills shortages. Can he comment on what skills shortages have been identified as a security risk? What action are the Government taking to fill them? I look forward to hearing from him regarding these amendments. I beg to move.

Lord Stirrup Portrait Lord Stirrup (CB)
- Hansard - -

My Lords, Amendments 23 and 26 touch on the critical issue of skills, in Ofcom and then more widely in the supply chain. They are right to do so, but in my view they are too constrained and do not go nearly far enough. This is not the fault of the drafters—they have to propose amendments that fall within the scope of this particular legislation, and they have done so admirably—but the problem they expose goes much wider than the field of telecommunication.

We find ourselves in this discussion at least in part because of our current reliance on Huawei technology and on the associated vulnerabilities that this introduces. But why have we become so dependent on Huawei? I said earlier that in the first half of the last decade we made unbalanced decisions about our trade and security relationship with China, and that is true. But it is also a fact that Huawei was—and still is—one of the very few companies to have brought the necessary technology to market. Frankly, there were not many options open to us, so our supply chain is anything but resilient in this area.

There are two elements to this problem. One is the level of industrial commitment to and investment in critical technologies; the other is the skills base to support such industries. Both of these interlinked issues must be addressed if we are to resolve the weakness in our supply chain.

The answer does not, of course, have to be wholly national. Industrial capacity and skills that are sufficiently widespread internationally, particularly among responsible countries that abide by international law, norms and standards, would provide us with an acceptable degree of resilience. This will undoubtedly have to be part of the solution, at least in the short term, but we have to ask ourselves why, in technologies that are so important to our security and that promise such future advantage to the companies involved, we are lagging so far behind. I acknowledge that we cannot lead everywhere and provide everything ourselves, but surely an important part of our national strategy should be to put ourselves in the van of those capabilities that will shape and guard our future.

This is certainly not about direct government involvement in business decisions; that approach already has a quite sufficiently inglorious history. It is, though, about government incentives—not least through a clear strategy and consequent procurement decisions—for the appropriate industries and a national effort to provide the necessary skills base to support those industries.

Amendment 26 makes some modest proposals in this regard and I welcome them, as far as they go, but we need to go much further. Telecommunication is not the only area to be hampered by such problems, and I believe we should take a more holistic approach. I have no doubt the Minister will reject the amendment, although I stand ready to be surprised. If, however, he lives up to my expectations, I invite him to say whether the Government agree with my analysis and, if so, how they propose formally to tackle a problem that is so central to our future security and prosperity.