All 9 Matt Warman contributions to the Telecommunications (Security) Act 2021

Read Bill Ministerial Extracts

Mon 30th Nov 2020
Telecommunications (Security) Bill
Commons Chamber

2nd reading & 2nd reading & 2nd reading: House of Commons & Carry-over motion & Carry-over motion: House of Commons & Money resolution & Money resolution: House of Commons & Programme motion & Programme motion: House of Commons & Ways and Means resolution & Ways and Means resolution: House of Commons & 2nd reading & Programme motion & Money resolution & Ways and Means resolution & Carry-over motion
Thu 14th Jan 2021
Telecommunications (Security) Bill (First sitting)
Public Bill Committees

Committee stage: 1st sitting & Committee Debate: 1st sitting: House of Commons
Thu 14th Jan 2021
Telecommunications (Security) Bill (Second sitting)
Public Bill Committees

Committee stage: 2nd sitting & Committee stage & Committee Debate: 2nd sitting: House of Commons
Thu 21st Jan 2021
Telecommunications (Security) Bill (Fifth sitting)
Public Bill Committees

Committee stage: 5th sitting & Committee Debate: 5th sitting: House of Commons
Thu 21st Jan 2021
Telecommunications (Security) Bill (Sixth sitting)
Public Bill Committees

Committee stage: 6th sitting & Committee Debate: 6th sitting: House of Commons
Tue 26th Jan 2021
Telecommunications (Security) Bill (Seventh sitting)
Public Bill Committees

Committee stage: 7th sitting & Committee Debate: 7th sitting: House of Commons
Tue 26th Jan 2021
Tue 25th May 2021
Telecommunications (Security) Bill
Commons Chamber

Report stage & Report stage & 3rd reading
Mon 8th Nov 2021
Telecommunications (Security) Bill
Commons Chamber

Consideration of Lords amendments & Consideration of Lords amendments

Telecommunications (Security) Bill

Matt Warman Excerpts
2nd reading & 2nd reading: House of Commons & Carry-over motion & Carry-over motion: House of Commons & Money resolution & Money resolution: House of Commons & Programme motion & Programme motion: House of Commons & Ways and Means resolution & Ways and Means resolution: House of Commons
Monday 30th November 2020

(3 years, 11 months ago)

Commons Chamber
Read Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts
Matt Warman Portrait The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
- Hansard - -

I thank all Members for a well-informed and important debate. We have heard across the House that all Members believe that this Government should be putting national security at the very top of our agenda. That is what we are doing tonight. We are also putting forward a strategy that will allow the UK to derive all the benefits that we possibly can from all the enhanced digital reliance that we have seen across the country over the course of this pandemic and, of course, before it.

We have all heard this evening just how much connectivity matters and just how much our national security matters. We heard upwards of 20 speeches, which clearly demonstrated the critical importance of the security of our telecoms networks, especially as we move into the next phase of digital connectivity. As the Secretary of State has said, this Bill will raise the security bar across the board. It will provide us with the capabilities that we need to protect ourselves from a range of threats, both now and in the future. I am pleased that the Bill has support across the House. It is clear that we are all keen to put the UK’s national security interests first.

I hope that Members are reassured that the Government are taking these issues seriously. A number of Members referred to the Huawei interest group. Much as I have enjoyed being the subject of the Huawei interest group’s interest, I am glad that we have come to a position that has been welcomed across the House. The Government have taken steps today both to lay out our diversification strategy—an important £250 million commitment that is detailed and has real potential to see British companies grow in the way that my right hon. Friend the Member for Vale of Glamorgan (Alun Cairns) identified—and to publish illustrative designations and directions demonstrating the transparency that many Members across the House have asked for. Through that, I think we have demonstrated our commitment to dealing with the risks to our networks and the national security threats that come from high-risk vendors.

I turn to some of the points that have been raised in the course of the debate. The first, which was raised across the House, is the important matter of human rights. We want respect for human rights to be at the centre of all business that takes place in this country. These are vital issues that go much wider than telecoms. A number of Members rightly pointed out that the Telecommunications (Security) Bill will be focused on matters related to telecommunications and security, but of course we have serious concerns about the human rights situation in Xinjiang, including the extrajudicial detention of over 1 million Uyghur Muslims and other minorities in political re-education camps, systematic restrictions on Uyghur culture and the practice of Islam, and extensive invasive surveillance targeting minorities.

Where China is not meeting its obligations under international law, the UK Government will continue to speak out publicly. Indeed, the 30 June formal statement that the UK read out on behalf of 28 countries at the UN Human Rights Council highlighted arbitrary detention, widespread surveillance and restrictions targeting ethnic minorities. The Government published their response to the consultation on transparency in supply chains in September, and we are committed to taking forward an ambitious package of changes to strengthen and future-proof the transparency provisions in the Modern Slavery Act 2015. While, as many have said, issues of human rights are not matters directly for this Bill, they are acutely important, and Britain will continue to take that leading role.

Iain Duncan Smith Portrait Sir Iain Duncan Smith
- Hansard - - - Excerpts

I hear what my hon. Friend says, but surely he would concede that, as this Bill deals specifically with vendors and the vendors are themselves located, originally, in countries that may have been guilty of these abuses of whatever nature, should those companies be found to be using slave labour—such as some that are already referenced in this Bill—that would be a reason not to have them. Would he not think that they were high-risk vendors for the very simple reason that they abused those human rights?

Matt Warman Portrait Matt Warman
- Hansard - -

As I said earlier, we would want to apply those standards not just to telecoms companies but to the garment industry and in a host of other areas where we know that there is the potential for similar abuses. I absolutely hear what my right hon. Friend says, but Britain can do better than focus simply on the relatively narrow aspect of telecoms.

Bob Seely Portrait Bob Seely
- Hansard - - - Excerpts

I hear what the Minister is saying, but I wish to follow up the point made by my right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith). If the debate on this Bill is not the place to discuss human rights, I get that, but we are also told that the debates on the National Security and Investment Bill are not the place to discuss human rights. I may get that as well, but the Government need to say where significant national interest concerns that are outside national security can be addressed. We talk the talk on human rights an awful lot in this country and this Parliament, but we have to put some trousers on that, I think.

Matt Warman Portrait Matt Warman
- Hansard - -

I am not going to engage too heavily with my hon. Friend’s trousers, but I will say to him that, as I said a minute ago, we are committed to taking forward an ambitious package of changes to strengthen and future-proof the Modern Slavery Act 2015, and that is one of several significant avenues that are open to him.

On the important matter of diversification, the telecoms supply chain review asked how we can create sustainable diversity in our telecoms supply chain. That question is addressed by the new diversification strategy that we published today, which is crucial to ensuring that we are never again in a situation in which we are dependent on just a handful of vendors who supply the networks on which so many of us have come to depend. I wish to spend a little time on this issue. The Government have been working at pace to develop the 5G supply chain diversification strategy, which sets out a clear vision for a healthy, competitive and diverse supply market for telecoms and the set of principles that we want operators and suppliers to follow.

The strategy is built around three key strands: first, securing incumbents; secondly, attracting new suppliers; and thirdly, accelerating the development and adoption of open and interoperable technologies across the market. That is why, in the diversification strategy that we published today, we commit to exploring commercial incentives for new market entrants as we level the playing field; to setting out a road map to end the provision of older legacy technologies that create obstacles for new suppliers; and to investing in R&D to grow a vibrant and thriving telecoms ecosystem here in the UK.

I say gently to the hon. Member for Newcastle upon Tyne Central (Chi Onwurah) that we have directly addressed a number of the issues that she raised in Westminster Hall last week. I look forward to engaging with her more on the strategy because it is important that we should work together to try to make sure that we all derive the benefits of a serious £250 million Government commitment that will drive early progress and ensure that our 5G diversification strategy not only bolsters the resilience and security of our digital infrastructure but creates opportunities for competition, innovation and prosperity.

John Hayes Portrait Sir John Hayes
- Hansard - - - Excerpts

It is wonderful that the strategy has emerged, but will my hon. Friend be just as clear about legislative change associated with that strategy? I understand that a further Bill may come forward; given the urgency of this issue and the concentration that his Department is applying to the strategy, when can we expect that legislation?

Matt Warman Portrait Matt Warman
- Hansard - -

We do not anticipate legislation as a direct result of the diversification strategy, but of course there are other important avenues to explore as part of the broader industrial strategy. A lot of what is in the diversification strategy does not need to be delayed by the legislative programme, and I think my right hon. Friend would welcome that.

A number of Members raised the role of Ofcom. Ofcom will monitor, assess and enforce compliance with the new telecoms security framework that will be established by the Bill. It will report on compliance to the Secretary of State alongside publishing the annual reports that he mentioned on the state of the telecoms security sector. I want to be absolutely clear: we have had productive conversations with Ofcom already. Ofcom will continue to have the resources it needs. We appreciate that those needs will be affected by the changes that we are bringing in today, and we will agree their precise nature with Ofcom. We will make sure that Ofcom has all the security clearance that it needs to do the job, and all the resources, external or otherwise, to do the job, because this is an important new power.

Ofcom may also play a role in gathering and providing information relevant to the Secretary of State’s assessment of a provider’s compliance with a designated vendor direction, and it may also be directed to gather further information to comply with the requirements specified in a direction. The Bill already enables Ofcom to require information from providers and, in some circumstances, to carry out inspection of the provider’s premises or to view relevant documents. Ofcom’s annual budget, as I say, will be adjusted to take account of the increased costs it will incur due to its enhanced security role.

Let me turn to a couple of issues raised by the hon. Member for Newcastle upon Tyne Central. We will of course be working with local authorities and with networks to minimise any disruption, but we do not anticipate that the decisions that we have made over the past few months will have a direct impact on existing commercial decisions. As the Secretary of State said, we do not expect the two to three-year delay to be extended by what we have said today, but we will keep in close contact with the networks and continue to make sure that we do everything we can to remove the barriers to the roll-out of the networks as far as we possibly can. I do, however, expect companies to do as much as they can to minimise the effects. These are commercial decisions that have been made by companies over a number of years. We have already seen, as a result of the Government’s approach over the past few months, significant changes to decisions. I welcome the neutrORAN project that my right hon. Friend the Member for Vale of Glamorgan mentioned, as well as a number of others that have been taken by networks that already see important changes to how they procure their networks.

Lord Beamish Portrait Mr Kevan Jones
- Hansard - - - Excerpts

The Minister has introduced the September 2021 date after which no new Huawei or high- risk vendor equipment can go into the networks. What will happen to those companies that perhaps have stock of Huawei equipment or entered into contracts thinking that they could implement them before September 2021 and will now have to be told that they cannot? Would they actually lose a lot of money?

Matt Warman Portrait Matt Warman
- Hansard - -

Those decisions, as I said, were taken in the context of the environment that people were already well aware of, and they are taken at a degree of commercial risk. However, we have worked closely with the networks to ensure that there will be no additional delays as a result of this decision. I think it is the right thing that puts national security at the absolute heart of our programme, but it also does that in the context of not jeopardising the clear economic benefits and the clear practical benefits of improving connectivity across the country that we would all like to see.

On the emergency services network, we anticipate that these announcements concerning Huawei will have a very low impact on the emergency services network. We do not anticipate any impact on the programme schedules. There is some Huawei equipment in the EE part of the emergency services dedicated core network that EE is already working towards removing.

Let me cover one other aspect raised by the Chair of the Intelligence and Security Committee, my right hon. Friend the Member for New Forest East (Dr Lewis). I look forward—maybe that is not quite the right phrase—to appearing before the ISC in the next few days. We will always co-operate with it, and I am very happy to work with it on the best way to balance the obvious requirement between transparency and national security, although we would always seek to be as transparent as we possibly can be within those important bounds.

Julian Lewis Portrait Dr Julian Lewis
- Hansard - - - Excerpts

I did ask a few questions. If the Minister cannot answer them now, by all means he should write to me. However, I am concerned about a situation where, for example, a former leader of the Conservative party and former Prime Minister has a major role in the China belt and road funding operation. How secure will Government be against lobbying of people with that sort of connection and prominence?

Matt Warman Portrait Matt Warman
- Hansard - -

I will simply say that the Government will always put our national security interests first, and of course we are always alive to the commercial interests of the companies that seek to engage with us in this matter or any other. I look forward to further engaging with my right hon. Friend and his Committee.

To conclude, this Bill does not simply produce a framework that will address one particular company or even one particular country. It sets up the futureproof regime that will allow us to deal with the company that we have spoken about so much this evening and also its successors in successor networks. The intention of this legislation is to persist well beyond the current challenges that we face. I am glad that it commands the support we have seen across the House. I am immensely grateful for what has been a genuinely well-informed debate and one that I look forward to carrying on in Committee. The Telecommunications (Security) Bill will create one of the toughest telecoms security regimes in the world. It will enable us to protect our national telecoms infrastructure, and it is also a chance for the UK to become the world leader in the development of new 5G technology that we all know we can be.

Question put and agreed to.

Bill accordingly read a Second time.

Telecommunications (Security) Bill (Programme)

Motion made, and Question put forthwith (Standing Order No. 83A(7)),

That the following provisions shall apply to the Telecommunications (Security) Bill:

Committal

(1) The Bill shall be committed to a Public Bill Committee.

Proceedings in Public Bill Committee

(2) Proceedings in the Public Bill Committee shall (so far as not previously concluded) be brought to a conclusion on Tuesday 19 January 2021.

(3) The Public Bill Committee shall have leave to sit twice on the first day on which it meets.

Proceedings on Consideration and up to and including Third Reading

(4) Proceedings on Consideration and any proceedings in legislative grand committee shall (so far as not previously concluded) be brought to a conclusion one hour before the moment of interruption on the day on which proceedings on Consideration are commenced.

(5) Proceedings on Third Reading shall (so far as not previously concluded) be brought to a conclusion at the moment of interruption on that day.

(6) Standing Order No. 83B (Programming committees) shall not apply to proceedings on Consideration and up to and including Third Reading.

Other proceedings

(7) Any other proceedings on the Bill may be programmed.—(David T. C. Davies.)

Question agreed to.

Telecommunications (Security) Bill (Money)

Queen’s recommendation signified.

Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),

That, for the purposes of any Act resulting from the Telecommunications (Security) Bill, it is expedient to authorise any increase attributable to the Act in the sums payable under any other Act out of money so provided.—(David T. C. Davies.)

Question agreed to.

Telecommunications (Security) Bill (Ways and Means)

Motion made, and Question put forthwith (Standing Order No. 52(1)(a)),

That, for the purposes of any Act resulting from the Telecommunications (Security) Bill, it is expedient to authorise provision requiring public communications providers to pay certain costs incurred by the Office of Communications.—(David T. C. Davies.)

Question agreed to.

Telecommunications (Security) Bill (Carry-over)

Motion made, and Question put forthwith (Standing Order No. 80A(1)(a)),

That if, at the conclusion of this Session of Parliament, proceedings on the Telecommunications (Security) Bill have not been completed, they shall be resumed in the next Session.—(David T. C. Davies.)

Question agreed to.

Telecommunications (Security) Bill (First sitting)

Matt Warman Excerpts
Committee stage & Committee Debate: 1st sitting: House of Commons
Thursday 14th January 2021

(3 years, 10 months ago)

Public Bill Committees
Read Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 14 January 2021 - (14 Jan 2021)
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Q I ask these questions on behalf of Catherine West. Vodafone runs networks across Europe, and so does Three, whose owner is headquartered in Hong Kong, and O2, which is owned by Telefónica. Does the Bill duplicate or reflect legislation that you have seen elsewhere in your operations? What international comparisons are you aware of? Also, we have talked about standards being a key part of international collaboration. How many people, or what presence, do you have on international standards bodies?

Derek McManus: Basically, we have not seen anything directly like the UK legislation, although various forms of it can be seen internationally. The second question was on standards. We operate in 23 countries, and as you can imagine, their standards are key to us. We hold a lot of expertise, from a Telefónica group point of view, that the UK team is able to rely on and work with to ensure that we are at the very edge of developing the right standard.

Andrea Donà: As the Government plan to take a lead in enhancing the minimum security requirements, and in diversifying their telecoms strategy, we as a global company are happy to support the standard setting, and to advise on the practical implementation of the additional security requirements.

Patrick Binchy: I refer to Derek’s answer. We have a very similar position with regard to the UK legislation: we have not seen quite the same in the other countries. On standards, we play an active role, and we have a number of UK staff who act actively in standards setting.

Matt Warman Portrait The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
- Hansard - -

Q Thank you to all of you for your engagement today and with the Government up to this point. Given the time, I have one, simple question. The Bill is setting up a new telecoms security framework to enhance network security. How confident are you that you will be able to comply with that in full, and what else would you like to see from the Government to enable you to do that?

Andrea Donà: We need the clarification that I mentioned of what is, and what is not, in scope, so that we have absolute clarity from the word go. We all work together to understand the profile of that implementation. It cannot be a big bang—everything complying from day one. We obviously need to do a detailed risk assessment of the areas that we need to work on immediately on the Bill’s coming into force, and of what can afford to be done at a secondary stage, based on the risk assessment and the risk management analysis of the various assets in our network.

Derek McManus: As I said in my opening remarks, collaboration to date on getting the Bill to this stage has been positive. We should continue that. My request is for flexibility to help us execute effectively, while balancing the other demands on the industry.

None Portrait The Chair
- Hansard -

You have 30 seconds, I am afraid, Patrick Binchy.

Patrick Binchy: Again, very similarly, we have to balance good connectivity with security. We are confident that our plans will meet the needs, but we will continue to work with Government and security on how we achieve and deliver that. It will be challenging, but we are confident that we can do it.

--- Later in debate ---
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Q Do you not think resilience is part of security? Is a network secure if it is not resilient?

Alex Towers: I think they overlap and that is one of our questions about the drafting of the Bill. There is clearly a relationship between those two things, and the concern about the timeframes for the removal of Huawei, for example, has been partly about ensuring that we have operational resilience during what is going to be a very complicated engineering programme to take out all its kit without losing resilience, in the sense of outages and blackouts for customers. Some of the Bill’s provisions talk about outages, but there is a difference between outages for operational maintenance and updating of kit and outages because of a security issue or attack. It is going to be quite important to pull those threads apart a little bit.

Howard Watson: On the vendor point, to summarise the approach that we are taking, we stopped purchase at the end of December, we will stop deployment in September of this year, we get down to 35% by two years hence from the end of next week, and then we have it removed from the mobile network by December 2027. I think that timeframe works well for us with introducing effectively a third supplier into our mobile network in terms of that 2027 point. It certainly helps mitigate any future steps in terms of a two-to-one.

I would not bank on it taking a full eight years to have an open RAN opportunity. As we heard from Andrea, colleagues at Vodafone have already started deployment . The real challenge there is about being able to use open RAN in dense urban areas where the technology works at its hardest, shall we say.

On your final question about research, we are in the top five investors in R&D in the UK—we invest in excess of £500 million a year across both research and development. In fact, the only companies that research more than us in the UK are the pharmaceuticals. I have 280 researchers based in the BT labs at Adastral Park near Ipswich and they, plus a standards organisation —we also draw in from engineers across my organisation—remain really actively involved in the standards bodies. I welcome what colleagues from the other operators say and think it is really important that we maintain that as a UK presence and as a European presence to ensure that we are not lost in the middle of any risk of divergence between the US and eastern and Asian countries and China. I would implore us all to work hard to ensure that that does not happen.

Matt Warman Portrait Matt Warman
- Hansard - -

Q Thank you to BT for your engagement thus far. I have two questions. The first is the same question I asked the other operators and is about the telecoms security framework. How confident are you that you will be able to comply with all the strictures in that? Secondly, to develop one of the questions that you have just answered, 2027 is very much a deadline and not a target. It is important that we hear more about your ability to meet that target. How taxing is that? How do you plan to make sure that everything you do can encourage the presence of a third—or more—vendor over the time we have between now and then?

Howard Watson: Let me take the final part of that question first, Minister. We are very much aware that that is a deadline, not a target, but we welcome the fact that the deadline is 2027. I have given evidence previously and have talked with Government significantly about the real risks to the availability of service if we pull that date forward.

We have a lot of infrastructure. That deadline allows us to plan carefully how we can switch off a site, if we have to, to replace it and swap it out, so that the spike has overlapping coverage from adjacent sites. Were we to be required to bring those timescales forward, we would be talking about mobile blackouts in the UK, which clearly we all want to avoid, given the increasing dependence of UK citizens on networks. We have a plan that gets us to that. The 35% by 28 January 2023, just two years away, is a little bit more challenging, but we have a plan to get us there. The pandemic is making that challenging, but right now we are on track for that too. I think that answers the second question.

In answer to your first question, the ambition that we have, and what will become requirements across the TSRs, will put the UK ahead of the pack, in being a safe place for people to work and run businesses, secure in the knowledge that we have a high level of protection against cyber-threats. We welcome that, particularly in the environment in which we are now operating.

We have remaining questions—we raised some of those in our written evidence—about the sequence by which the requirements will be applied. We think it is critically important that there is a strong baseline level of compliance that applies to everybody who operates a network in the UK. We do not want to have entry points through weak links across our environment.

Alex Towers: A large majority of what is in the TSRs reflects current best practice and we are already complying with it. There are some places where there is a stretch for us to do more, which is good. The key point, I suppose, concerns Howard’s point about making sure that the baseline for all operators is higher and strong enough, given that these are inter-connected network, as you have already heard this morning. The whole edifice is only as strong as its weakest point. We are concerned about the idea that the code of practice might not apply to some operators, for example. That is the sort of detail that we will begin to see debated further as the Bill goes through.

None Portrait The Chair
- Hansard -

Are there any further questions from Members?

Telecommunications (Security) Bill (Second sitting)

Matt Warman Excerpts
Committee stage & Committee Debate: 2nd sitting: House of Commons
Thursday 14th January 2021

(3 years, 10 months ago)

Public Bill Committees
Read Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 14 January 2021 - (14 Jan 2021)
Matt Warman Portrait Matt Warman (Boston and Skegness) (Con)
- Hansard - -

Q Thank you, Mr McCabe, and thank you both for your engagement and for welcoming what we are doing. I am interested to know what you feel will be the best way to work with the sectors that you represent, particularly in taking forward the diversification strategy. It is an increasingly diverse sector. The Government want to get the best they possibly can out of that £250 million initial tranche of diversification money. What are your thoughts on how we have worked with the sector thus far and what more should be going on in the future?

Hamish MacLeod: My meeting following this hearing is with the operators addressing that very point. This is something that we want to work extremely closely with the Government on. We are meeting officials next week to continue the conversation on doing things such as setting out the road map for what needs to be done R&D-wise to develop open RAN, what needs to be done from the point of view of the test programme, and what needs to be done on the standardisation road map. We will be taking a very close interest, both as individual operators and jointly.

Matthew Evans: To add to that, I echo that we have had excellent engagement with the Minister’s officials. It is about keeping the momentum up while working with the grain of industry and making sure that we are getting the incentives on the supply side, in the R&D and in the testing, and also in the demand side. That is all about making sure that we have the right commercial incentives for operators, but also that we have the right skills and, if necessary, reinforcing the operators on some of those points as well.

None Portrait The Chair
- Hansard -

Chi?

--- Later in debate ---
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Q You seem to be saying, then, that you are in a position to compete with Nokia and Ericsson as of today. Is that what you are saying?

Chris Jackson: We would not compete with Nokia and Ericsson in terms of standard RAN, but the whole idea is that we would look to bring open RAN technology. That is the direction that NEC is supporting. If you ask me whether we could step in today and provide that capability, we believe yes, we could.

Matt Warman Portrait Matt Warman
- Hansard - -

Q Again, I thank both NEC and Mavenir for the productive conversations that we have had already about getting involved in UK networks. Obviously, one of the things that was in the diversification strategy is the project with NEC—the NeutrORAN project that we have talked about a little bit today already; and I hope we could do, if possible, something similar in the future with Mavenir. What is striking about the NEC project—it is genuinely significant for UK networks —is that it is a £1.6 million initial jolt of funding. First, Chris—but I am very interested in Mavenir’s perspective as well—will you say a little about how Government can best target the funding? One of the things that we learnt in our previous discussions with you was that this is not solely about the scale of the funding but about the targeting, the way in which we do it and how we get the best value for taxpayers. Chris, will you say a little about that, then we can hear from Mavenir about what the equivalent sort of things might be?

Chris Jackson: First of all, thank you very much indeed, Minister, for support in that particular trial. We believe that this is very important, because it has given us the opportunity to showcase 4G and 5G open RAN capability with multi vendors, and we are doing it in supporting the share of your network, which we know is an important KPI for the UK Government, in terms of increasing that capability across the UK. They want to ensure that the investment is targeted at areas within the UK—where the UK will receive the most benefit—and, more importantly, or as importantly, an opportunity for a trial that brings multiple companies together. So, although NEC is leading this particular trial, we are working with a number of other companies to bring this overall solution together. That is exactly what open RAN is trying to embrace, and that is the way forward. We would be delighted to work with Mavenir; we are already involved with Mavenir as well. That is not a hurdle or obstacle for us.

Stefano Cantarelli: There are several angles. The first one is the neutral hosting. I would like to draw attention to the fact that we have already done work with British Telecom, two years back, on neutral hosting, so that has now been talked about for a long time. Also, you might have noticed in the market that companies—the one that comes to mind is Vilicom—have been doing this type of thing, where they deploy Mavenir infrastructure to provide neutral hosting capabilities. So, we are fully supportive and believe that this kind of funding is particularly important.

We understand that that there is some interesting funding. We are in discussion with DCMS. We are discussing some projects that we believe will boost a lot of the innovation in this space. For example, we are trying to get funding for our R&D activities for open source software that could boost the availability of radio units. We say that the radio unit is hardware, but in reality there is of course a bit of software on top. This type of software, which is mainly interfaced towards the rest of the software and the control of the operation and maintenance activities, is not differentiated for each radio unit; it is just standard. By having an open source like that, you can fundamentally get the radio vendors to focus on their IPR for analogue development and being able to produce a radio unit with different frequencies, as Pardeep said before, which we believe could boost the market. That type of funding is particularly useful, because it is aimed at boosting the market and giving availability in the open RAN of these radio units.

I would also like to add that most of the frequencies that are used today in the UK are available in our view for open RAN, so I do not see that as a problem. But that type of investment is particularly important—in R&D—so the trial that you have funded in the first round of the 5G Create programmes is particularly useful to get learning and experience. As I said, in the SONIC, we are particularly active, although that is not a 5G Create programme but a different one. We believe that in the second round, you can focus on funding some R&D specifically to boost the ecosystem of the open RAN.

Matt Warman Portrait Matt Warman
- Hansard - -

Q Finally, would you agree that there are plenty of opportunities for us to use those trials and test beds to boost British companies, particularly in software, around open RAN? That is probably where British firms are likely to focus, at least in the first instance, rather than hardware.

Stefano Cantarelli: First, remember that, as John mentioned, we acquired ip.access, which is a British company that has been in hardware for some time, so there is still space for hardware as well. Software is definitely where the majority of the innovations are. That is particularly clear—Chris mentioned this—in the IT space, where they moved from generic servers. I want to reinstate that, with servers generically available everywhere. The whole thing has really flipped on to different software. That will definitely boost the ability of a lot of companies to bring innovation.

As we always repeat, competition means innovation, and innovation is the only way. Many years ago, I was part of Vodafone. I built the 3G network for Vodafone in the UK, and at that time I had only one supplier in my network—I will not say who. I introduced another one, and it was only then that the other suppliers started to be active. Some legacy suppliers—I would say most of them—start to sit down and lie back if they are the only one in the network, because there is no motivation. From my experience from all these 30 years, that component is so important.

Matt Warman Portrait Matt Warman
- Hansard - -

Thank you.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Q I wholeheartedly agree with that last comment about the importance of competition, particularly in the supply chain. That is my experience as well, in terms of building out networks. I am just struggling to understand why Vodafone, Three and O2 said earlier that there were only two full-service suppliers in the UK, when Mavenir is saying to me that you could supply a 2G, 3G, 4G or 5G network within a year. I am struggling to understand how that works. Is it a question of the network operators not being prepared to commission you? Is it an issue of price, complexity or management? Why are you not considered a full supplier by the existing network operators in the UK?

Stefano Cantarelli: Let me just address that initially before anyone else. We are a supplier in other places in the network, so they consider us a reliable supplier. We supply voice services, messaging services and everything else. You mentioned the initial deployment of open RAN by Vodafone this morning. That relates to us, because we are the supplier that it has deployed and is continuing to deploy. We are actually deploying sites for it.

I think that you have to look at two aspects when you are on an operator’s side. I am speaking from experience. It is not just about the technology; it is also about your processes and how you are able to move forward and change your mindset. I think that operators have a lot of complexity. We sympathise with them, of course—it is not an easy environment—but there are a couple of mindsets that they need to over-pass, if you let me use that word.

First, the world is changing. It is not hardware and software together; it is software and hardware disaggregated, and that of course requires some different capabilities. It is the same as when we passed from circuit voice to packet voice. Some people here may not get the example completely, but it is just a different point of view. That does not mean that it is more complex or whatever; it is just a different point of view, and you need to change. We know that change is not an easy thing. That is the first aspect that we need to take into consideration.

The second aspect is that, despite the technology that is available, you still need to consider the in-life service that you need to swap over. You have to consider that you did some planning or design based on certain principles that were available before, and you need to rethink how you are going to do that. For example, most of the 5G deployed today just uses additional frequencies on the existing sites that they have deployed with 4G, 3G and 2G. This is not what I consider full 5G, with all the characteristics of low latencies and so on. You need to start to think about the densification of sites. The Government can help a lot—with policies, by helping to define new capabilities, and by allowing the operators to change their architecture by enabling them to get more sites, and get permits more easily to build new sites.

These sites will not be like sites today; on these sites, there will be lot of carriers, a lot of technologies, and a lot of frequencies. As Pardeep said, a site today is probably just a radio unit that connects, through an internet connection—not necessarily just fibre—to a software data centre. These things are more important, and they are the reason why, although operators are in the middle of that transformation, it is taking a bit of time.

--- Later in debate ---
None Portrait The Chair
- Hansard -

I am just going to go to the Minister; if there is time, I will come back. Minister.

Matt Warman Portrait Matt Warman
- Hansard - -

Q Thank you both for what has been a really interesting discussion. I wanted to ask, partly because you mentioned it specifically: when it comes to looking at other parts of the network, such as the internet of things, are you aware of the work that we have been doing—for instance, in October we published work specifically on regulating smart devices—and do you see that sort of work as being complementary to the kind of work that we are talking about here today in relation to the Bill? Perhaps once you have dealt with that, we can deal with the Bill itself.

Julius Robson: I think it is important. What we are looking at in the 5G era is the application of mobile technologies for specialist industries, and it is entirely relevant that those industries have their own requirements for security and other requirements that apply on top of what is necessary in the basic mobile network. I do not think we need to duplicate that effort. Where we are using mobile in certain scenarios, the scenario should define the requirements. The base level of mobile connectivity should be something suitable, and affordable, for the consumers and the masses.

Dr Bennett: I am aware of the work you have been doing on security for the internet of things. I think it is complementary and extremely important. Everything should have security by design in it. It is very important to cover these types of points.

Matt Warman Portrait Matt Warman
- Hansard - -

Q In saying that, it seems to me that it supports the point of view expressed earlier, that this piece of legislation should not be expected to do everything. It is part of a broader Government response. You laid out a lot about what you think a secure network looks like and what its characteristics might be. They are not controversial in themselves. The point of debate seems simply to be whether those are for a regulator to define and be able to update on a regular basis, because we need to able to respond, or whether they should be on the face of the Bill.

I would have expected you to say, if I can put words in your mouth, that you would like the agility of the regulator’s ability to update those codes of practice, to be able to say to networks, “This is what secure looks like. If you are complying with these kinds of codes of practice, then we will be able to understand that you are meeting the requirement.” You seem to actually be saying that you want greater rigidity. I am interested to understand whether you would like the codes of practice to have the flexibility offered by the writing from the regulator or whether you would like to see them on the face of the Bill.

Dr Bennett: I think we actually want both. There should be mention in the Bill of some of the ones that I think are key, so that people realise that there is going to be a code of practice on that they should follow. It is very important to be able to be agile and to get early information, from something like a technology reference panel, about things that are coming along, in order that you think about them before they get attached to the network. Trying to do it after you have attached something to the network is frankly a nightmare, so you need to be anticipating. It is not clear that there are mechanisms for that anticipation in the Bill.

Given the SolarWinds Orion hacking, which is a recent example of something that will take a long time to sort out and is precisely what you do not want to happen in the future, it would be sensible to get someone like NCSC to test whether the things in the Bill, and things that should be in the Bill, would have enabled the mitigation of that problem to happen faster than it has. The Bill ought to be doing something like what the Americans are doing in response to that now. The Government should consider a rapid response, co-ordinated unit to deal with similar incidents in the future, because they will happen. That is the kind of thing that ought to be in the Bill to say, “This is how we are going to be able to mitigate these problems when they happen, as quickly and sensibly as possible.”

Matt Warman Portrait Matt Warman
- Hansard - -

Q I suppose, in a sense, you are already seeing some of that, are you not, with us already publishing the draft designations, the draft directions and some of the secondary legislation that would be enabled by this Bill? I think you are arguing for as much transparency as possible, of the sort that you have already seen from the extensive NCSC blogs on what the standards might look like. I do struggle to see how you would put that on to a statutory footing in the way that you have described without constraining some of the agility. Fundamentally, however, your argument seems to be in favour of transparency above all else.

Dr Bennett: Yes, and anticipating things as early as possible.

None Portrait The Chair
- Hansard -

Chi, we have time for another quick question. I think you had a point that you wanted to come back to.

--- Later in debate ---
None Portrait The Chair
- Hansard -

I am going to interrupt you. I am sorry, but I want to let the Minister get a last question in. My apologies.

Matt Warman Portrait Matt Warman
- Hansard - -

Q Thank you, Mr McCabe, although Dr Steedman was articulating some of the answers to the question that I am going to ask. Dr Steedman, the diversification strategy, as you described, lays out the importance of our work in international bodies and in international co-operation. Could you lay out what you think the most influential bodies are and where the Government should be focusing there? And Mr Parton, could you talk about how you see this Bill fitting together with the National Security and Investment Bill, to try to tackle some of the issues that you described yourself a few moments ago?

Dr Steedman: Thank you, Minister. I might suggest that this is very much a matter of horses for courses. There is a range of organisations. I mentioned the ORAN-ALLIANCE; that is clearly one. We know, obviously, about 3GPP and the role of ETSI and 3GPP; that is another. And there may be roles for the formal bodies. We need to discuss the ITU-T, the UK participation in ITU-T and how we can strengthen that. With respect, this is an area that we need to work further on; and in the diversification taskforce, we are talking about the detail of that and how we might approach it from a United Kingdom perspective.

I am optimistic that the initiatives that have been taken today with the diversification taskforce, under Lord Livingston’s leadership, are going to produce for you really quite powerful ideas and initiatives to be taken forward in the years ahead. This is possibly the first time that the UK has really co-ordinated its input in this way to try to achieve some industry transformation and behavioural change.

The other areas I have mentioned, Minister, that are really important are in the area of procurement. This is not just about the technical standards; it is also about the way standards are used in the supply chain to stimulate behaviours and to enable SMEs to participate, rather than our just being locked into large-scale providers. I am very keen that we should comment on and discuss that, and those standards are not in the technical environment; they tend to be more in the business environment, where the UK has a very strong position already in global business standards. So there is another tool in our tool shed, to be used when we come to looking at shaping the market. I am looking forward to discussing that further with you in the taskforce.

Matt Warman Portrait Matt Warman
- Hansard - -

Q Mr Parton, will you comment briefly on the co-ordination between the NS&I Bill and this Bill in a more wide-ranging response to the Chinese situation?

Charles Parton: I cannot possibly deal with this in one minute. Obviously, telecoms is a very crucial—an increasingly crucial—part of critical national infrastructure, so they are very closely linked. It goes back to what I was saying earlier. There is this question of where in the science and technology field and our research and development we allow ourselves to co-operate with China, given that its attitude is one, I think, that is really quite risky. So, when the DCMS talks about the extremely fine idea of setting up a national telecoms laboratory, I do hope that, in setting it up—it talks about co-operating widely internationally—it takes that sort of thing into account, too. I think that there will have to be great restrictions there.

This might be another example. I am well out of my field here, but we have designated high-risk and non-high-risk vendors, but what happens if some of the Chinese—they do not have to be Chinese—higher-risk vendors try to sneak under the wire by purchasing or using proxies? Again, I think that needs to be considered.

None Portrait The Chair
- Hansard -

I am afraid that brings the time for this witness session to a close. I think that we could all have done with a bit longer with both of you gentlemen, but thank you very much for your evidence. We are extremely grateful to you. That brings the formal part of the proceedings to a close.

Ordered, That further consideration be now adjourned. —(Maria Caulfield.)

Telecommunications (Security) Bill (Fifth sitting)

Matt Warman Excerpts
Committee stage & Committee Debate: 5th sitting: House of Commons
Thursday 21st January 2021

(3 years, 10 months ago)

Public Bill Committees
Read Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 21 January 2021 - (21 Jan 2021)
Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

I agree. The issue with both Ericsson and Nokia is that they will have Chinese components in their hardware. This is an incredibly complex situation, as my hon. Friend said: we are talking about not just one piece of kit that most of us have in our pockets, but hundreds of thousands of components, pieces of software and other things. What I am trying to put on the record, and what I want the Minister to respond to, is the question of how we get an understanding of any risks that are involved in that, and how the regulator and the Government are going to look at ways in which national security could be compromised, not by the main company being owned by a Chinese state entity, a Russian state entity or any actor that we feel is a threat to us, but by a key component.

I have not yet really understood how the regulator will look at that issue further down the supply chain, and whether it will ask a supplier of kit to the telecoms network, “What is the level of threshold or security that you need?” That is hard enough with hardware, but with open RAN and software—we are talking about bits of code—it is going to be incredibly difficult. One of the issues is around vulnerabilities, and various things have been said about the vulnerability that Huawei poses to our telecoms network. However, I suggest people read the Huawei assessment centre’s annual reports—I am rather sad, because I read such documents. One thing sticks out every single year, and it is not that the Chinese are doing anything nefarious. The reports are highly critical of Huawei for its shoddy workmanship and engineering, but that type of shoddy engineering and a lack of attention to security will lead to security concerns in our telecoms network.

Amendment 7 is designed to tease out from the Government their thinking about the supply chain. We do not want to be over-burdensome on it, because we want to get innovation in the supply chain. We do not want to suddenly give researchers and other people in the supply chain huge regulatory hurdles to jump over, because that would stifle the development that we are looking for. It is about how individual components and the overview of the supply chain will be regulated. I have tabled a later amendment about Ofcom, but again it comes back to the point I made yesterday about the National Security and Infrastructure Bill. What has to be at the heart of it all, every single time, is not to stifle innovation and prosperity, but what has to come first every time is national security.

As I say, amendment 7 is a probing amendment, and I want to understand where the Government are at in terms of the supply chain, the security they feel they need over the supply chain and, more importantly, the visibility of the supply chain.

Matt Warman Portrait The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
- Hansard - -

It is a pleasure to serve under your chairmanship, Mr Hollobone. I echo the thanks of the hon. Member for Newcastle upon Tyne Central to you and the House staff for facilitating this Public Bill Committee. I also echo her praise for the temperature of the room and especially her commitment to crack on and not fill it with further hot air. That is to be welcomed.

Like the hon. Lady, I will briefly talk about the broader context of the Bill before I directly address this group of amendments. As we all know, security should be the first priority for any Government, and the Bill demonstrates this Government’s commitment to securing the UK’s telecoms networks.

Clauses 1 to 14 raise the bar for security across the whole telecoms sector, and the subsequent clauses—15 to 23— provide the mechanism for the Secretary of State to manage the role of high-risk vendors. The part that telecoms plays in our security is undeniable and has become even more evident in the midst of this global pandemic. At present, the internet provides absolutely everything for workplaces, schools, families and friends, and the Government are committed to improving that through our gigabit programme. New technologies have the potential to be transformative, but they have the opportunity to reach their full potential only if they are secure, and the Bill will ensure that.

Before I explain the Government’s response to amendments 7 and 8, it is necessary to explain briefly how they would interact with clause 1. New section 105A in clause 1 places a duty on providers to take “appropriate and proportionate” measures. Those measures oblige providers to identify and reduce the risks of security compromises and require them to prepare appropriately for those risks. New section 105A also addresses the interaction between the duty and the national security and law enforcement activity, such that these activities are appropriately excluded from the definition of a security compromise. I will return to new section 105A later—I know that will excite the Committee.

Alongside the overarching security duty in new section 105A, new section 105B gives the Secretary of State the powers to make regulations that impose duties to take specific security measures. Clause 1 creates a duty for providers to take “appropriate and proportionate” measures to protect their networks and services from security compromises. “Security compromise” is then defined in new section 105A.

--- Later in debate ---
Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

I would, and this is really a probing amendment to get an understanding of what the Government think, but may I ask the Minister a direct question about the national security bodies—GCHQ and others? If they came across a component or something that a supplier was producing that raised concerns, how would their concerns be translated into saying that a red warning should be put on a certain component in a supply chain?

Matt Warman Portrait Matt Warman
- Hansard - -

I simply say that, as the right hon. Gentleman knows, the NCSC and others already work very closely with the networks. What he seems to be talking about, in some ways, is a very day-to-day way of talking about security concerns. That happens a lot already, and what the codes of practice and other documents will do is set up the framework by which that is formalised. As he knows, that process of very quick action being taken as soon as something is spotted, both by the networks themselves and by our agencies, is already well established, and the Bill gives considerably greater force to it.

As the right hon. Gentleman knows, the Bill is aimed at ensuring that providers take responsibility for the security of their networks and services in a way that has not happened, in legislative terms, in the past, and it then provides the Government with the powers that we need to enforce that. In so far as any supply chain components give rise to risks to the security of a network or service, new section 105A already requires providers to take appropriate action and proportionate measures to identify those risks. I appreciate that this is a probing amendment, but in a sense what the right hon. Gentleman is seeking to do through it is already there, and it will be enforced in the documents, such as the code of practice, that I have mentioned.

Furthermore, the addition of the presence of a supply chain component as a security compromise would not be consistent with the security framework’s definition of a security compromise, but I do not think that we need to get into too much detail about that in the context of a probing amendment. The concept of a security compromise is used in other provisions in the Bill, and it is important that we are consistent.

More fundamentally, the right hon. Gentleman’s amendment would put the onus on providers, rather than the Government, to determine a national security risk, but, as he implied, it is absolutely down to the NCSC and, ultimately, the Government and agencies to make that definition. Placing the responsibility for determining what does and does not constitute a threat to national security on the shoulders of all individual providers is not the right thing to do, and I think, to be fair, the right hon. Gentleman is not really suggesting that it is, either.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for the way in which he is addressing these important proposals. I think that his concern is that this amendment would put the responsibility on the providers rather than the National Cyber Security Centre, and I understand that, but can he say a little about the following matter, because it is the providers that know their networks? The National Cyber Security Centre is excellent, and we have huge admiration for it, but in terms of the supply chains, changes to the supply chain and new components evolving, how does he envisage that, day to day, working effectively without an amendment of this kind to put this requirement on the providers?

Matt Warman Portrait Matt Warman
- Hansard - -

As I have said, new section 105A partly provides the legal basis that the right hon. Gentleman seeks, but in practice no one is suggesting—the Secretary of State talked about this on the Floor of the House—that it is solely the name on the box of a piece of kit that defines international security status. We are not naive to the possibility of the supply chain being another vector of attack. That would be reflected in codes of practice and elsewhere around the legislation.

Public telecoms providers can and should consider the security of the resilience of their networks and services throughout the supply chain in a sensible and proportionate way. National security considerations are inevitably much broader than the issues that can be addressed solely by private companies. I think that is reflected in the distinction drawn up in this Bill.

The amendment would have implications for Ofcom’s monitoring and enforcement of providers’ compliance. The Bill includes provisions for Ofcom to collect information on behalf of the Secretary of State in narrow and specific areas related to national security, but this amendment would require Ofcom more actively to take some of the compliance judgments. In the evidence session the right hon. Gentleman was keen to see that it was not asked to make those judgments.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

Clearly NCSC does a tremendous job in terms of education of members of the public and companies —as the Minister outlined, that is a key part of its role. Does he see, therefore, a role for Ofcom as part of that, in terms of ensuring that the supply chain and operators are aware of their responsibility not only under the Bill, but to ask the right questions about supply chains from what might be deemed as high-risk vendors?

Matt Warman Portrait Matt Warman
- Hansard - -

In so far as codes of practice will be published by Ofcom, the answer to the right hon. Gentleman’s question is yes. The more nuanced answer is that it is a co-production between Ofcom, the Government, NCSC and others.

To conclude, the Government are immensely sympathetic to the issues that the right hon. Gentleman and the hon. Lady seek to probe, but we take the view that this amendment would do something that is, ultimately, already covered in the Bill. I hope that, in that spirit, she will withdraw the amendment.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for his response. I am concerned that there is not greater clarity on the role of the supply chain components and the supply chain more generally. We will come to that in further amendments. Given where we are and how we got here, we must take a forward-looking approach to future risks and vectors for risks. This amendment is important in probing that, but I do not seek to put it to a vote. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

--- Later in debate ---
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I will not detain the Committee long, given that my right hon. Friend the Member for North Durham made such excellent points. I will add one point of consideration, which again, his modesty may have forbidden him from making.

The amendment goes to the heart of our concerns about the scrutiny of the provisions in the Bill. I say again for the record that we support the wide-ranging powers that the Bill gives the Secretary of State, but those powers must come with appropriate scrutiny, not because scrutiny is a “nice to have” or, as my right hon. Friend said, because the ISC needs further work, but because scrutiny of the provisions is essential to the good working of the legislation in practice.

Considering specifically the impact of the requirement to remove Huawei at this stage in our 5G roll-out—the economic impact, the cost to the providers and the cost to our economy—we recognise that it is the right thing to do, but we must also recognise the cost of doing it. Back in 2013, the ISC was one of the first parliamentary organisations to raise the issues around Huawei. I truly urge the Minister to accept this constructive amendment to support the appropriate provision of scrutiny.

My other point is more about the working of the clause, which gives the Secretary of State the power to make regulations that require providers to take specified security measures. As we know, the telecoms security framework and telecoms security requirement, to which all providers must adhere, will be set out in delegated legislation. In his response, will the Minister give us some idea of why the Secretary of State might need to set out additional specified requirements that are not in the draft of the TSR that he has published? Is the intention of the clause to enable him to set out additional specified requirements, or is it to enable him to highlight particular specified requirements that he does not think the providers are meeting quickly enough? In either case, does that not suggest that there are particular security concerns, either about providers or about the circumstances, that require these specific security measures? To come back to my first point, does that not highlight for those concerns to receive parliamentary scrutiny, with the appropriate clearance, which is to say that of the Intelligence and Security Committee?

Matt Warman Portrait Matt Warman
- Hansard - -

I start by acknowledging the incredibly important work that the ISC does. Its role in overseeing the work of the UK intelligence community is vital to maintaining public trust, as the right hon. Member for North Durham described, and its members make important contributions to public debates on national security matters of all kinds. The right hon. Gentleman has done that for a number of years. Because he is a member of the ISC, he will know that I have proactively engaged with it on the substance of the Bill. I did so enthusiastically—if any Minister can ever regard a Select Committee appearance enthusiastically—and in recognition of the interest that I knew that Committee would have in the Bill. I will be writing again to the ISC on a number of matters raised in the Bill, and I have instructed officials from my Department to continue to engage with the ISC as the Bill proceeds through Parliament, building on the work that it has already done and on the transparency that we have already demonstrated by publishing the draft of the security framework regulations on 13 January, copies of which have been provided to the members of the ISC and a number of other interested Committees. I hope that all that demonstrates the Department’s commitment to working constructively with the ISC, despite the fact that, as the right hon. Gentleman said, DDCMS does not normally fall within the ISC’s formal remit.

It is none the less important to acknowledge that the ISC is not the only legitimate avenue to scrutinise this framework. We fully intend to make use of all the appropriate parliamentary procedures.

The regulations and the explanatory memorandum accompanying them will all be there for the ISC to scrutinise. There is also further guidance to providers in connection with the measures specified in the regulations that can be provided in the code of practice, which must be published, with a copy laid before Parliament. Also, beyond the usual arrangements for secondary legislation, new section 105Z of the Communications Act 2003 provides for Ofcom to produce security reports. Clause 11 of the Bill enables those reports to be published by the Secretary of State, and clause 13 provides for a review of the effectiveness of the framework, including any regulations, after five years.

It is in that context that I point to the enthusiasm with which we have engaged with the ISC. We will continue to do so and ultimately—this is perhaps the reason why the right hon. Gentleman described this process as an ongoing campaign, rather than something that we should address piecemeal—the ISC is clearly defined in the Justice and Security Act 2013. I do not think it would be right to address the memorandum of understanding that he referred during our consideration of the Bill. We should not go at it in piecemeal fashion. The role of the ISC as set out in that MOU is to oversee the work of the security agencies, to provide oversight of certain intelligence or security matters within Government. Ultimately, if the right hon. Gentleman wants to change the MOU, that is a broader issue for him to take up. I note that he is not the only Member of this House to have made that point, but it is not my place to take a view on the role of the ISC; that should be for the ISC itself.

I am confident that we will continue to engage with the ISC; I personally will certainly do so. I know that the DCMS Committee will continue to take an interest, and I will simply say that we will co-operate as fully as possible. I will set out more in the letter I mentioned, and I look forward to the future salvos in the right hon. Gentleman’s campaign.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

I make no criticism of the Minister, because he has been very proactive, as has his Secretary of State. The problem is this: we have two pieces of legislation going through Parliament. We do not have security Bills very often in this place, and now we have two in a very short period of time. Both make eminent sense and I support them, but this is not something that comes up regularly.

In terms of the Minister’s co-operation, I have no complaints about the way he has operated, but he is not going to be there forever and neither is his Secretary of State, so we need to put in place something that will weather the passage of time, and create an arrangement whereby it will be seen that Parliament is scrutinising these measures. I do not know why the Government—I am sure it is not the Minister, or even his Secretary of State—are resisting this. Frankly, I am not really bothered whether it goes on the face of the Bill or in the MOU, but the Justice and Security Act 2013 is very clear that as a Committee, the ISC has the ability to look at this.

I accept that it would be wrong to get into issues around this Bill that are quite rightly, as the Minister said, for the relevant Select Committee—the Committee on Digital, Culture, Media and Sport—to deal with. We would never do that, so I will withdraw this probing amendment, but we will come back to this issue. I am not usually a betting man, but I suspect that by the time this Bill and the other Bill go through, we will have got to where both I and the Minister—I think, privately—think we should be. I therefore ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Telecommunications (Security) Bill (Sixth sitting)

Matt Warman Excerpts
Committee stage & Committee Debate: 6th sitting: House of Commons
Thursday 21st January 2021

(3 years, 10 months ago)

Public Bill Committees
Read Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 21 January 2021 - (21 Jan 2021)
Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

My hon. Friend makes the point precisely: the way in which telecoms have developed in this country has been piecemeal, only developing now into the four main operators. I hope we will try to get others into the market.

We are to blame for that, as consumers, because we have demanded ever lower prices for our mobile services. Does that suggest that the operators have taken shortcuts? No, I am not suggesting that, but consumer preferences have driven down price, and therefore the costs of what those operators provide in delivering the services that we all take for granted. Let us be honest: the Chinese saw the opening door for Huawei—that is why they bought into and flooded the market, putting Government loans behind it. Can we blame the operators for saying, “Well, actually, this is a good deal—we can get good deals”? But they cannot.

I am interested to know from the Minister how, looking forward, we are going to do that. I accept that something will be done under the regulations that the Government will put out, but how will we look backwards as well? As my hon. Friend the Member for Newcastle upon Tyne Central said, there is a lot of legacy equipment there, and it is important for Ofcom to have a clear understanding of what is in the networks.

Matt Warman Portrait The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
- Hansard - -

It is a pleasure to serve under your chairmanship, Mr McCabe.

We are redefining UK telecoms security, but I worry that we are also redefining the aspiration of the hon. Member for Newcastle upon Tyne Central to crack on, so I will try to be brief. The good news that I can deliver, briefly, is how the aspirations of both the hon. Lady and the right hon. Member for North Durham are met in the legislation, and how we envisage those aspirations’ being implemented.As the Committee is aware, the Government have published an early draft of the security regulations. Certain draft requirements are relevant to the aims that we have talked about today. If hon. Members look at regulation 3(3)(a), with which they will be familiar if they are insomniacs, they will see a duty for network providers

“to identify, record and reduce the risks of security compromises to which the entire network and each particular function… of the network may be exposed”.

That is already there and key to the issues that hon. Members have been talking about.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I had looked at those requirements. I appreciate that they are drafts, but they talk about identifying issues. They do not say “audit”.

Matt Warman Portrait Matt Warman
- Hansard - -

I think this would be impossible to identify without carrying out some kind of audit. There is a danger of a semantic argument, but I understand the point the hon. Lady is making. We want people to be in the position to make the kind of identifications that we are requiring. I do not see how they could do that without the records to which she refers, in terms of both the existing kit and future kit that they might put into their network.

Christian Matheson Portrait Christian Matheson (City of Chester) (Lab)
- Hansard - - - Excerpts

This is an important point. The criticism that I will articulate later is that too much of the Bill is based on an assumption that the players in the sector will automatically do the right thing. For example, there is an assumption of a dialogue between Ofcom and the major players. Will the Minister think about whether he is satisfied that an assumption goes far enough in something as important as this?

Matt Warman Portrait Matt Warman
- Hansard - -

The regulation that I cited is an example of the Government not relying on assumptions. It is an example of us publishing, in advance, exactly the sort of material that demonstrates that this is not assumptions, and that it is there in black and white. That is an important distinction and it demonstrates the cross-party consensus that we have had thus far. We continue to be on the same page in terms of the level of detail required.

The evidence sessions with industry demonstrated that national providers already maintain some asset registers. Witnesses were clear that those registers are maintained and updated as technologies are updated. That is an important part of the existing landscape, but our regulations will ensure this kind of best practice is extended across public telecoms providers.

In addition, the Bill contains measures with regard to the use of particular vendors’ equipment. Inspection notices under clause 19 enable Ofcom to carry out surveys of a specific network or service where Ofcom receives a monitoring direction from the Secretary of State to gather information on a provider’s compliance with a designated vendor direction. Alongside that, clause 23 enables the Secretary of State to require the provision of information about the use of goods, services or facilities supplied, provided or made available by a particular person. That could be used to require information about a provider’s use of a particular vendor’s equipment.

Taken together, the issues that have been raised are not only entirely legitimate, in the view of the Government, but are addressed in black and white already, both in the Bill itself and in the drafts that we have published. We are ensuring that “hardware of interest,” whatever that might be, is subject to proper oversight and monitoring. That objective does not need the approach that might come as a consequence of this amendment, because it is already there. For that reason, I welcome the probing nature of the amendment. I hope that my answer has satisfied some of the concerns, and I look forward to doing so further in future answers.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

It is a pleasure to serve under your chairmanship, Mr McCabe, and I thank the Minister for his comments. I also thank my right hon. Friend the Member for North Durham and my hon. Friend the Member for City of Chester for their comments. This amendment is probing, so we will not push it to a Division. I would like to say two things to the Minister. Although it is true that the providers were confident that they had an asset anywhere their equipment was, other experts who gave testimony in the evidence sessions were not. My experience of networks is that there are multiple systems and this information is not easily accessible or searchable.

I am reassured by the Minister saying that his view is that these requirements could not be met without there having been some kind of audit, to have that information ready. I ask him to write to me, if possible, stating which provisions in the requirements set that out. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Question proposed, That the clause stand part of the Bill.

Matt Warman Portrait Matt Warman
- Hansard - -

It is good to reach this landmark point. I do not propose to go over all the ground we have covered, because we have already covered a large chunk of this in discussing the amendments.

As I mentioned, proposed new section 105A means that telecoms providers will need to take appropriate action to ensure adequate security standards and limit the damage caused by any breaches. To support that duty, the proposed new section will create a new definition of “security compromise”. The definition is purposely broad. It includes anything that compromises the availability, performance or functionality of a network or service, or that compromises the confidentiality of the signals conveyed by it. That addresses some of the points made by the right hon. Member for North Durham a moment ago. This is a comprehensive approach that will help to ensure providers protect their networks and services properly in the future.

Earlier, I mentioned law enforcement and national security. This part of the Bill excludes certain conduct that is required or authorised under national security legislation or for law enforcement from the definition of “security compromise” in subsections (3) and (4). Those subsections also clarify the fact that, for example, disruption of the use of unauthorised mobile phones in prisons would not be a security compromise.

Proposed new section 105B will give powers to the Secretary of State to make regulations imposing duties to take specific security measures. The power will enable more detailed requirements to be imposed on providers, further to the overarching duty set out in proposed new section 105A(1). This will give greater clarity to providers about the measures that they must take. It will also allow the legal framework to be adapted as new threats arise and technology changes.

These security requirements deliver on our commitment in the telecoms supply chain review to place targeted, actionable and proportionate requirements on a statutory footing. Taken together, the new overarching security duty and requirements will, in secondary legislation, make clear what the Government expect of public telecoms providers. The provisions in the clause are crucial for improving the security of our telecoms infrastructure.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

As the Minister says, reaching the end of consideration of clause 1 is a landmark. We are cracking on at a slower pace than anticipated, but it is important that we have rehearsed a number of the arguments that you will hear, Mr McCabe, throughout our detailed scrutiny of the Bill.

Those arguments relate to our concerns with regard to national security, which Labour prioritises, yet we do not see that priority recognised consistently in the Bill; the effective plan to diversify supply chains on which it depends, but which it does not mention; and the scrutiny of the sweeping powers that the Bill will give to the Secretary of State and Ofcom. Those issues all arise in the clause, although we welcome the Bill and the increased duties. Will the Minister clarify the relationship between proposed new section 105A and proposed new section 105B? If he cannot do so now, perhaps he will write to me.

--- Later in debate ---
Notwithstanding that outstanding question, we are happy to support the clause.
Matt Warman Portrait Matt Warman
- Hansard - -

I am happy to write to the hon. Lady on the matter she has discussed. We anticipate draft directions in due course that will be network specific, because each network is different, but the overall tenor will be in the same direction. This is probably a matter that we can talk about outside the Committee in a bit more detail to make sure she gets the answers she wants.

Question put and agreed to.

Clause 1 accordingly ordered to stand part of the Bill.

Clause 2

Duty to take measures in response to security compromises

Question proposed, That the clause stand part of the Bill.

Matt Warman Portrait Matt Warman
- Hansard - -

We are one thirtieth of the way there. The clause will place a duty on providers to take measures in response to security compromises through proposed new section 105C. When managing security, providers should seek to reduce the risk of security compromises occurring under their duty in proposed new section 105A. As security threats and attacks evolve, it will never be possible for providers to reduce that risk to zero. Therefore, should a security compromise occur, it is crucial that providers take swift and effective action to mitigate its effects. Taking action quickly will also help to mitigate the risk of any further incidents.

Mirroring the approach taken in clause 1, the new duty in proposed new section 105C is overarching and sets out a general duty on providers. It is supported by proposed new section 105D, which will provide the Secretary of State with powers to make regulations requiring providers to take specific measures in response to security compromises of a description specified in regulations. Although it will clearly not be possible to anticipate every security compromise that might occur and to set out how providers should respond, this will enable more detailed provision to be made in appropriate cases. Measures can be specified in the regulations only where the Secretary of State considers those measures appropriate and proportionate.

In practice, the first set of requirements will be contained in a single set of regulations made under the powers of proposed new sections 105B and 105D. A draft of the regulations has already been made available to members of the Committee, and published on gov.uk. Regulations made using this power will give providers clarity about the measures that they need to take, and having those measures set out in secondary legislation has the benefit of allowing the regulations to be reviewed as technology and security threats change over time.

In summary, this duty on providers is an integral part of the new framework, which will ensure providers take control of the security of their networks and services at a time when the UK stands on the cusp of a 5G and full fibre revolution. We must keep those technologies secure to enjoy their full benefit, and the clause is essential to doing that.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

We are cracking on: clause 2 is taking but a few minutes. The Opposition recognise the critical importance of our network providers taking responsibility for the security of their networks, and that there can never be a zero-risk network. Given that network communications are ever present in almost every aspect of our life and of our nation’s economy and security, it is right and appropriate that the Bill should put requirements in place, both on the operators and in response to specific security compromises.

I should like to have better understood how we would expect network operators to respond to a compromise such as the SolarWinds one, for example, but I expect that the clause will at least place the right duties on network operators, and I am content that it should stand part of the Bill.

Question put and agreed to.

Clause 2 accordingly ordered to stand part of the Bill.

--- Later in debate ---
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I rise to support my right hon. Friend’s excellent comments and to add a couple of points on amendment 10, which would require the Secretary of State to consult the National Cyber Security Centre before issuing a code of practice about security matters. My right hon. Friend spoke ably about the amendment’s intent to ensure security input on national security measures. That sounds basic, so I hope the Minister will explain why he feels it is unnecessary to make that explicit in the Bill. My right hon. Friend suggested that perhaps it should go without saying, but as we heard in the evidence sessions and have already discussed, the evolving security landscape and the change that the Bill represents, through the new powers for the Secretary of State and Ofcom, make it particularly important to set that out expressly.

The Bill looks at many issues to ensure the security of our networks from supply chains to requirements on network providers as well as raising technical issues, and Ofcom will need to do a lot specifically, so it is important to have a specific reference to the security function of the National Cyber Security Centre.

It came across clearly in the evidence sessions that Ofcom will not be making national security judgments. Lindsey Fussell said:

“It is important to say that, across the scope of the whole Bill, it is not Ofcom’s role to make national security judgments. That is really important. Clearly, that is the Government’s and the Secretary of State’s role, taking advice from the NCSC and the intelligence agencies.”—[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 89, Q113.]

In introducing the code of practice, it is essential to ensure that security input and expertise. I do not see why the Minister would object to including such a requirement in the Bill. Unfortunately, we are not always as joined up as we would like to be. There are numerous examples of issues that could have been prevented, had agencies of Government done what might have been expected of them and talked to teach other. As the Bill involves network operations and deep technical and security issues, a requirement to consult the NCSC is particularly important, and that is what the amendment would achieve.

Matt Warman Portrait Matt Warman
- Hansard - -

I apologise in advance, having said that we should crack on, for detaining the Committee for a few minutes on this group of amendments. They relate to clauses 3 and 4, which deal with the codes of practice for security measures and informing others of security compromises. Ultimately, the new telecoms framework comprises three layers. There are strengthened overarching security duties set out in the Bill, there are specific security requirements in secondary legislation, and there are detailed technical security measures in codes of practice. Clause 3 deals with the final layer of the new security framework. Specifically, it provides the Secretary of State with the power to issue and revise the codes of practice and sets out the legal effects of any published codes of practice.

Clause 4 addresses what would happen should there be a security compromise. It puts in place a process for users to be informed of significant risks of a security compromise. The clause also places a duty on public telecoms providers to inform Ofcom of any security compromises with significant impacts, and it creates the power for Ofcom to inform other persons in turn, including users.

I turn now to amendment 5, which seeks to ensure that the NCSC is also informed of security compromises. From a drafting point of view, the NCSC is part of GCHQ, and I take the amendment to refer to GCHQ in that sense. Within the new telecoms framework, the Department for Digital, Culture, Media, and Sport will set the policy direction, Ofcom will regulate and the NCSC will provide technical and security advice. As the UK is an world-leading national authority on cyber-security, we expect the NSCS to share its expertise with Ofcom in order to support the implementation of a new telecoms security framework.

For that reason, the Government absolutely agree that it is crucial that the NCSC receives information about telecoms providers’ security. That is why such information-sharing provisions already exist. Under section 19 of the Counter-Terrorism Act 2008, Ofcom or the Secretary of State is able to share with the NCSC any information that would support the NCSC in carrying out its functions. That would of course include the passing on of details of security incidents. Under new section 105L of the Communications Act 2003, which this Bill inserts, Ofcom must report all serious security incidents to the Secretary and State and can pass on information about less serious incidents as well. On receiving such information, the Secretary of State can then share the information with the NCSC, as I have set out. Although these probing amendments are well-intentioned, it is obvious that the provisions are already there.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for his response to the amendments. He is focusing on the fact that it is possible for information to be shared, but it is not required. I understand that the Bill as drafted, and preceding best practice, means that it is possible for information to be shared. My concern is that it is not required.

Matt Warman Portrait Matt Warman
- Hansard - -

I understand the hon. Lady’s point, and I will come to something that I think will address it in a moment. Before I do, I will speak to amendments 6 and 10, as they would be functionally identical amendments to new section 105F in clause 3.

New section 105F sets out the process for issuing a code of practice. It requires a statutory consultation on a draft code of practice with the providers to whom the code would apply, Ofcom and other persons such as the Secretary of State considers appropriate. The amendments would apply an additional requirement to formally consult the NCSC when publishing a draft code of practice. I can reassure the Committee that we will continue to work closely with technical experts at the NCSC, as we have done over a number of years.

The telecoms supply chain review demonstrated the Department’s capability to work with our intelligence and security experts to produce sound recommendations, backed by the extensive and detailed security analysis that I know Members of all parties would like to see. That initiated the next phase of the collaborative work that culminated in the introduction of the Bill, and the codes of practice continue that theme. The purpose of such codes is to provide technical security guidance on the detailed measures that certain public telecoms providers should take to meet their legal obligations.

We have already been clear that NCSC guidance will form the basis of an initial DCMS-issued code of practice. The NCSC has already developed a set of technical measures that is in the process of being tested with the industry, and those technical measures have been refined and improved over the last two years. The NCSC will continue to update the measures to reflect any changes in the landscape of threats, as the right hon. Member for North Durham described, and the relationship between the work of the DCMS and that of the NCSC means that such changes would be reflected in the code of practice. Alongside the DCMS and Ofcom, the NCSC will play a key role in advising public telecoms providers on how to implement detailed codes of practice.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

I agree with the Minister, in the sense that I think he and the Secretary of State at the DCMS are committed to there being very close working, but as I said, he ain’t gonna last forever. An issue will come up —in fact, it came up last night on the National Security and Investment Bill—when operators and others say, “Actually, from a commercial point of view, this is more paramount,” or, “This is what we should be doing.” The Secretary of State will come under a lot of pressure to perhaps look at prosperity issues rather than security issues. I just wonder whether, without the relevant provision in this Bill, a future Secretary of State could say, “Well, I’m going to ignore that issue, because I want to pander to”—well, not pander to—“accept the commercial and prosperity arguments.”

Matt Warman Portrait Matt Warman
- Hansard - -

The right hon. Gentleman keeps going on about ministerial impermanence, but I will not take it personally.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

I talked about promotion.

Matt Warman Portrait Matt Warman
- Hansard - -

Too kind! The key part to this is that, obviously, Ofcom remains an independent regulator and will be working closely with others. The right hon. Gentleman makes a fair point about the inevitable balance between national security and a whole host of other issues, but ultimately that independence is absolutely essential. In the light of our long-standing and established working relationships across the DCMS, NCSC and Ofcom, it seems reasonable to say that there is a track record demonstrating what he has asked for. But given the Committee’s interest in the role of the NCSC in this regime, I will just make one last point. Its role is not explicitly described in the Bill, as the NCSC already has a statutory remit, as part of GCHQ, to provide technical security advice and to receive information on telecoms security for the purpose of exercising that function.

The NCSC and Ofcom will very soon publish a statement setting out how they will work together. I think that addresses some of what the hon. Member for Newcastle upon Tyne Central mentioned; I believe she has some familiarity with Ofcom. I think it is right, because they are independent, that that statement comes from them, as well as the Government expressing a view on this. The statement will include information on their respective roles and their approach to sharing information on telecoms security, and it should provide greater clarity, which hon. Members are entirely legitimately asking for, about the NCSC’s role, including how it will support Ofcom’s monitoring, assessment and enforcement of the new security framework.

I hope that the sorts of matters that I have talked about provide the kind of reassurance that Members have asked for.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

A statement is a welcome step forward, but—the Minister can write to me on this; he need not respond to me today—what is its legal weight? Again, I am not wanting to consider the Minister’s demise, but I would like to know that future Secretaries of State and Ministers will use it as the template and will not be able to say, “Well, we are going to ignore that statement.” That would be very welcome, because it would bind the two organisations together, which is important, and ensure that the security aspects were taken into consideration, but will the Minister just write to me, saying what weight the statement would have? I have to say that I sympathise; I do not like Christmas tree Bills that start having things added on. If it could be done in a complete way, I would be quite happy with that. The only thing that I want to know is, basically, what its status will be in future. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Question proposed, That the clause stand part of the Bill.

Matt Warman Portrait Matt Warman
- Hansard - -

The Committee has already heard me talk about some of this, but I think it important to provide a little more detail. The code of practice, which we have discussed, is a fundamental building block of the regime and will contain more specific information on how telecoms providers can meet their legal duties. It will provide guidance on how, and to what timescale, certain public telecoms providers should comply with their legal obligations, and will be based on technical analysis by the NCSC. Individual measures will therefore reflect the best protections against the most pressing threats to network security. The code will, for example, set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers’ data.

We recognise of course that different companies have different ways of setting up and running their networks, and because our telecoms market is dynamic and competitive, providers range in scale from multinational giants such as Vodafone down to innovative local start-ups. We want therefore to ensure that the code of practice is proportionate, and that public telecoms providers take appropriate security measures.

I will touch as briefly as I can on how we intend to achieve that proportionality through a tiered system. Tier 1 will contain the largest national-scale public telecoms providers. Should any of those providers have a significant security incident, it could bring down services to people and business across the UK. Those operators will have the greatest level of oversight and monitoring from Ofcom. Tier 2 will contain medium-sized public telecoms providers. Those providers may not be as large, but in many cases they are critical to regions and to business connectivity. They are expected to have more time to implement the security measures set out in the code of practice.

Tier 3 will contain the smallest public telecoms providers, including small businesses and micro-enterprises, which, of course, must also comply with the law. They are not anticipated to be subject to the measures in the code of practice, but will need to comply with their legal duties as set out in new sections 105A and 105C, and in any regulations. Our expectation is that Ofcom would regulate those providers more reactively.

New section 105F describes the process for issuing a code of practice. When the Government publish a draft code of practice, we will consult with industry, Ofcom and any other appropriate persons. Specifically, publishing the first code of practice will include consulting on the thresholds of each of the tiers that I have described and on the timings for their implementation. Following the consultation period, and once the code is finalised, it will be published and a copy will be laid before Parliament.

New section 105G gives the Secretary of State the power to withdraw a code of practice. Again, that will follow consultation with industry and Ofcom. A notice of withdrawal will be laid before Parliament. The legal effects of the code of practice are described in new section 105H. To be clear, the code of practice is guidance only; it is an important tool that operators should use to comply with their legal duties.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

Is the Minister saying that the code of practice is the standard that providers are expected to meet? Is it the legal bare minimum or do we expect them to do more than what is set out in the code of practice? What is the direction of travel?

Matt Warman Portrait Matt Warman
- Hansard - -

The legislation places a duty on providers. Meeting the strictures of the code of practice would be the way of demonstrating that they were meeting that duty as an initial step, but of course, we see individual companies making decisions, for a host of reasons, to exceed codes of practice in every area of regulated life,

and I would expect that to continue in the area in question as well.

Where relevant, provisions in a code could be taken into account in legal proceedings before courts or tribunals, which I think gives some sense of their status. That would include any appeals against Ofcom’s regulatory decisions heard by the Competition Appeal Tribunal. Ofcom will take account of the code of practice when carrying out its functions as required in new section 105H(3) in relation to telecoms security, as I have just described.

Under new section 105I, if Ofcom has reasonable grounds for suspecting that a telecoms provider is failing, or has failed, to act in accordance with a code, it can ask public telecoms providers to explain either how they meet the code of practice or, if they do not meet it, why. For example, if the network set-up of a particular telecoms provider meant that it could achieve a level of security equivalent to that in the code by other means, it could explain that in its statement responding to Ofcom. In such a case Ofcom might be satisfied that the provider was complying with its security details, but hon. Members will see that we are again trying to ensure a proportionate approach to the relevant part of the framework.

We believe that the code of practice will provide an appropriately flexible framework, which will be able to change as new security threats evolve, providing clarity for telecoms operators on what is required of them by this new telecoms security framework.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I will not detain the Committee very long either, as we agree about the importance of codes of practice. I will not say that I am entirely reassured to hear of the statement being issued by Ofcom and the NCSC on how they will work together, but I certainly think that it is a positive development, and I hope we will be able to see it before the Bill progresses to the House.

On the codes of practice, as my right hon. Friend the Member for North Durham set out, it is important that the sector should understand the standard to which it will be held. I have some concerns about the tiering system, because, as was made clear by a number of witnesses during the evidence sittings, all networks are joined up and we are only as secure as the weakest link. At the same time, it is important to have a proportional burden on new entrants as we indeed hope to diversify the supply chain.

I understand, although perhaps the Minister can clarify the point, that the codes of practice will not refer to the diversification of the supply chain, despite the fact that having a secure network—we shall debate this in more detail—is dependent on having a diverse supply chain. I have made the point a number of times, and will make it repeatedly, that the lack of linkage between the diversification strategy, implementation and the security of our networks is an ongoing cause for concern. However, having made those comments, I do not object to the clause.

Question put and agreed to.

Clause 3 accordingly ordered to stand part of the Bill.

Clause 4

Informing others of security compromises

Question proposed, That the clause stand part of the Bill.

Matt Warman Portrait Matt Warman
- Hansard - -

As with clause 3, I have already spoken to clause 4, addressing an amendment on this issue. It will be crucial that we ensure that the Government, Ofcom, public telecoms providers and their customers have the information that they need to understand when security compromises have occurred, and then use the knowledge to prevent compromises in the future. New section 105J requires that providers inform their users of significant risks of security compromises and actions that they can take to avoid or mitigate any adverse consequences.

We want to ensure that this is done in a transparent and open way, so the clause specifies that telecoms users should be notified in clear and plain language, and given a named contact they can get in touch with if they have any further questions. Giving users that information will help to ensure that, where possible, they can take swift action to protect themselves and raise broader awareness.

New section 105K requires security compromises to be reported to Ofcom. That information will provide Ofcom with insight into the security of individual telecoms providers and security risks across the landscape, enabling us to target its regulatory action more effectively. The Bill also requires that providers report pre-positioning attacks on the network. These are attacks that do not affect the network or service at the time but allow access that could result in further security compromises. These attacks pose real risks but too often remain invisible to a regulator.

Finally, under new section 105L, Ofcom is required to share information about serious security compromises with the Government. It may also share information on less serious compromises if, for example, it would help the Government with developing telecoms policy and future regulation.

The clause explains how Ofcom can share information about security compromise with other groups and organisations, and the Bill allows information sharing at Ofcom’s discretion with overseas regulators, other providers, telecoms users and, where appropriate, the wider public. It allows Ofcom to advise network and service users of the measures that they should take to prevent, remedy or mitigate the effects of the security compromises, to direct providers to give such advice themselves.

The clause ensures that the regulator has access to the information that it needs, and will help to ensure that the entire industry is aware of new and evolving risks and can respond accordingly—be that a customer changing their password or an operator tightening its defences against a new attacker.

Matt Warman Portrait Matt Warman
- Hansard - -

I will pretend I have not finished, and give way to the hon. Lady.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister, as always, for graciously giving way. I will make this point later, but I want to give the Minister the opportunity to consider how the requirement for Ofcom to notify users might work with the Information Commissioner’s requirement on data controllers to also notify users when there is a data hack.

Matt Warman Portrait Matt Warman
- Hansard - -

Obviously, there could be an overlap in those notification requirements, but our expectation would not be that anyone would receive multiple notifications. That is why there is an emphasis on the nature of communications being clear and obvious to laypeople.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

Speaking gives me an opportunity to take my face mask off. I will make a few points about clause 4, which is broadly welcome because it clarifies for operators what their responsibilities are, not just from a national security point of view but from a consumer point of view. I think there is an issue, though, which my hon. Friend the Member for Newcastle upon Tyne Central raised.

Again, I do not want the Minister to respond now, but I think the crossover with the Information Commissioner might be one area that we need some clarity on. Is there an example of this? Yes—the TalkTalk case. People might look at this Bill and think national security is about the Russians or the Chinese hacking, but that was a criminal act that led to a lot of people’s data being compromised. From a constituency point of view, as any Member of the House at that time will know, trying to get TalkTalk to do anything about that, in terms of the losses that people incurred, was virtually impossible. That is why these clauses are so important.

--- Later in debate ---
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

We are cracking on at such a pace that I lost my place somewhat. I had forgotten that we are now discussing clause 4. My apologies, Mr McCabe.

My right hon. Friend the Member for North Durham has already addressed some of the points that I wanted to make, but let me say that we welcome the duty being placed on providers to report security incidents. I have long campaigned, in relation to cases such as the TalkTalk incident, to make that duty clearer and more comprehensive regarding the information that needs to be shared with users and those who are affected, and for them to have some kind of right of redress, which is effectively part of the Bill.

I welcome the requirement in clause 4 to inform others of security compromises, but will the Minister provide more clarity? There is some indication of the range of actors that the providers and Ofcom must inform, but I do not feel that there is an understanding of the level of information that will be shared with different actors. For example, if the public are to be informed of a security breach, compared with the requirement from the Information Commissioner’s Office, which, as I said, actually goes far enough, what level of information might be shared with other actors, such as other networks? My right hon. Friend talked about who else might be informed. It is also clear that the sharing of information will probably need to evolve over time, as the nature of compromises and their potential reach changes. I wonder how these requirements might be adapted to reflect that.

I will just say a little about the sharing of information with overseas regulators. If that is clearly set out in the Bill, I am unable to find it. Presumably, such data sharing will still have to conform with the requirements of our data protection legislation. Will it also reflect international data-sharing gateways for criminal prosecution purposes?

Those are just some general comments. We welcome the clause.

Matt Warman Portrait Matt Warman
- Hansard - -

I will reply briefly. On the point about compensation, essentially new section 105W of the Communications Act 2003, which is inserted by clause 8, covers the civil liability point, which I think opens the door that the right hon. Member for North Durham seeks to open. Then there are the notifications to industry of what is essentially best practice and recent threats. Of course, as he implied, there is a balance to be struck with the existing work of all those involved, but ultimately it would feed into the codes of practice, so there is both an informal and a formal mechanism, if I can put it like that.

On the hon. Lady’s final point about the international sharing of information, it would depend on the nature of the information, as she implied. Some of it would pertain to national security, and some of it would pertain to the kind of criminality that she has spoken about about, where there are existing provisions as well. In that sense, of course, it is all covered by our own data protection regime, which has the sorts of carve-outs I have just described but operates in that holistic framework.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

Will the Minister write to us on the issue of data and the link to the Information Commissioner?

Matt Warman Portrait Matt Warman
- Hansard - -

I am not sure I fully understand the right hon. Gentleman’s point.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

I raised the point, as did my hon. Friend the Member for Newcastle upon Tyne Central, that we are asking operators to inform individuals about data compromises. That is welcome, but as my hon. Friend said, there might also be a breach of the Information Commissioner’s regulations, and we just wanted to get some idea of how the two would mesh together. I do not expect the Minister to know now, but could he write to us to say how the two would interact?

Matt Warman Portrait Matt Warman
- Hansard - -

As I said in response to the hon. Lady, there is obviously a potential overlap. The focus of this Bill is on clarity of communication to the consumer, but I am very happy to write to the right hon. Gentleman or the Committee with further details of that potential overlap.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

The Minister is being incredibly generous with his time. To clarify what we are hoping to receive, as he has indicated, we would not want the ICO to be sending out notifications to 2 million people who had been affected by a hack, and Ofcom to be doing that as well. We would expect there to be co-ordination in that regard, and we would just like to see that set out.

Matt Warman Portrait Matt Warman
- Hansard - -

I am very happy to do so. I think it is obvious that clarity of communication would be incompatible with duplication.

Question put and agreed to.

Clause 4 accordingly ordered to stand part of the Bill.

Clause 5

General duty of OFCOM to ensure compliance with security duties

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I beg to move amendment 11, in clause 5, page 9, line 41, at end insert—

“(2) Providers of public electronic communications networks and public electronic communications services must notify Ofcom of any planned or actual changes to their network or service which might compromise their ability to comply with the duties imposed on them by or under sections 105A to 105D, 105J and 105K.”

This amendment would require providers of public electronic communications networks or services to notify Ofcom of any changes to their network or service which might compromise their ability to comply with their security duties.

It is a great pleasure to serve under your chairmanship, Mr McCabe. Since this is my first substantive contribution to the Committee, I pay tribute to the Front Benchers. It is nice to have a Minister who, I believe, was formerly a tech journalist specialising in telecoms, and who knows the subject well. Of course, the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, was a telecoms engineer and an Ofcom regulator for many years, and I pay tribute to her and her staff. The Committee should know that in addition to running this Bill Committee from the Opposition’s side, she has also been working in the main Chamber this week on the National Security and Infrastructure Bill Committee. Juggling two Bills at once is no mean feat.

I have also greatly enjoyed the interplay between my right hon. Friend the Member for North Durham and the hon. and gallant Member for Bracknell, both of whom have considerable national security experience. I was intrigued by my right hon. Friend’s estimation of the hon. and gallant Gentleman’s intervention as Schrodinger’s intervention—one that managed to be simultaneously right and wrong. He has set a new standard there.

From listening to the debates on previous clauses, it is clear that a common thread passes through the Bill, which we in the Opposition have been hoping to link up. Partly, it is to do with the question we raised earlier about the assumption that everybody understands exactly what the intention in the Bill is, and that everything will be all right in the long term. My right hon. Friend the Member for North Durham has talked about the importance of making things as clear as possible when it comes to responsibilities, because a future Minister might not be as adept in this subject as the hon. Member for Boston and Skegness, who currently occupies that position. In a sense, that is the heart of amendment 11.

--- Later in debate ---
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I rise simply to support the excellent speech made by my hon. Friend the Member for City of Chester. I thank him for his very kind words. In the amendment, he makes an important contribution in ensuring that Ofcom knows what it needs to know and in putting the onus more firmly on the network providers. I simply ask the Minister to respond to the points that my hon. Friend made in his concluding remarks about being forward-looking.

A challenge for us as a nation in securing our networks during such fast-paced technological change is looking backwards to the problems we have had rather than forwards to the evolving and new threats. During the evidence sessions, we were accused of fetishising 5G as if that was the only security challenge, because of the visible problem with Huawei, and that we were not looking more broadly. I admired Ofcom during my time there because it was set up to be a forward-looking regulator. To achieve that aim, when it comes to the sweeping new requirements around security that are placed on it under the Bill, it needs to be able to see what changes are happening and are likely to influence future evolving threats. To do that effectively, amendment 11 requires the network providers to notify Ofcom of planned or actual changes.

It is worth remembering that—I made this point earlier—if BT had been required to notify Ofcom or another body of changes to its network as Huawei moved to a greater and more dominant position in its network, that might have rung alarm bells more generally. We have also already mentioned the shift that we are seeing on the importance of software and software configuration and services in controlling the network. Requiring providers to notify Ofcom of planned or actual changes to the network would make that evolution more easily visible and therefore provide Ofcom with greater visibility of how all our networks are evolving and what new threats may arise as a consequence.

Matt Warman Portrait Matt Warman
- Hansard - -

The amendment would add to the general duty in clause 5 that places on Ofcom the duty to ensure that providers comply with their security duties. The duty as written in the Bill makes clear Ofcom’s increasing role. The duties imposed on public telecoms providers in the Bill are legally binding, so as the Bill is written providers should not be taking decisions that would prevent them from complying with those duties in the future. If they were not to comply, they would be in breach of their legal duties and liable for enforcement action, including the imposition of the significant penalties set out in the Bill.

The underlying purpose of the amendment—that Ofcom should take a proactive role in regulating the regime—is already core to what is in the Bill and the Government absolutely agree with the principle that the hon. Member for City of Chester set out. We need to ensure that Ofcom has the tools to be forward-looking so that, in a world of fast-changing technologies and threats, it can understand where operators are taking their networks and how that will affect their security. That is an absolutely essential part of the Bill.

James Sunderland Portrait James Sunderland
- Hansard - - - Excerpts

Does the Minister agree that the Bill in its current form is prescriptive enough already?

Matt Warman Portrait Matt Warman
- Hansard - -

I think the Bill is perfectly drafted down to every comma and punctuation mark. To be slightly more serious, what we have sought to do in the drafting is to strike the balance between proportionate regulations and the overarching requirements for national security. That is the balance that we have struck and it is exactly for that reason that we already do in the Bill what the hon. Member for City of Chester and the shadow Minister seek with the amendment.

In section 135 of the Communications Act 2003, as amended by clause 12, Ofcom is already allowed to require information from providers about the future development of networks and services that could have an impact on the security of the network or service they are providing. That would enable Ofcom, for instance, to assess the security risks arising from the deployment of a new technology or from the proposed deployment of a new technology. For those reasons, I hope that the hon. Members are reassured not just that the Bill does what they seek, but that previous drafts of the Communications Act already did so.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for giving way; in doing so, he shortens what I will say later. I think the Minister is saying that Ofcom has the power to require information, which is true, but the amendment is about providers proactively giving that information. Ofcom cannot request information about a change to the networks that it does not know is happening. I am hoping that perhaps what the Minister is implying is that he would expect Ofcom regularly to review what was changing in the networks and therefore make those requests for further information. Could he clarify that point?

Matt Warman Portrait Matt Warman
- Hansard - -

The sort of horizon scanning that the hon. Lady describes is core to all essential regulation, and the relationship that Ofcom has with those whom it regulates promotes the ability to have such conversations. But as I said, the key point is that an operator that proposes knowingly to introduce a risk into its network would clearly not be complying with the statutory provisions of the Bill. That is the essential nub of the issue.

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - -

I enjoyed the semantic gymnastics by the hon. Member for City of Chester as he tried to expand the scope of the Bill, but I shall try to stick to what is in it. There is a lot of consensus across parties, so I shall resist the temptation of saying that £50,000 is a demonstration that Labour is willing to put a price on national security, which this party will never do, but I understand the points that he makes on both fronts.

The clause provides Ofcom with strengthened powers, including powers to give assessment notices to a provider, that are vital to enable it to fulfil its expanded and more active role. Assessment notices are an important new power in the regime that will give Ofcom tools to assess fully a provider’s security and the extent to which it complies with its security duties. It is Ofcom’s intention that when assessing a provider’s compliance, its first port of call would be to use its information-gathering powers under section 135 of the Communications Act 2003. Ofcom would then use its power to give an assessment notice if it wanted to check the veracity of the information or to follow up a security concern. While Ofcom will therefore use its powers in a targeted and proportionate way, it is also the case that a provider with good security practices would expect to be subject to a lighter-touch assessment. Providers’ duty to bear the costs of assessments will therefore have an incentivising effect.

The amendment would insert a new subsection into new section 105N, limiting the costs that Ofcom could incur in carrying out an assessment. Fundamentally, a hard cap of any sort will always be an arbitrary number which will potentially put an additional hurdle in place. It might be necessary for some of those tests to require genuinely extensive assessment—penetration testing, or red teaming, as exercises are sometimes called, where penetration tests mimic the action that an attacker might take to access the network. Those attacking actions may of course be from sophisticated sources, and the costs of mimicking them in an entirely legitimate way could be substantial; but it is right, in the interest of national security, that Ofcom does not reduce the quality of its testing. We would not seek to limit that either, notwithstanding its independence.

I can offer the Committee some reassurance, however, that Ofcom’s assessment costs will not be excessive. It has a general duty to act proportionately and to follow other principles representing regulatory best practice. Finally, a provider’s duty is to pay only such costs as are reasonably incurred by Ofcom in an assessment, so there is a balance there.

As to the proposed new subsection that would limit those able to carry out assessments to Ofcom or a UK Government agency, the assessments, as the hon. Member for City of Chester knows, may be complex and need specialist skills. Methods such as penetration testing might need specific technical skills and we should not limit Ofcom in that way. However, we should also bear in mind, as the hon. Member for Newcastle upon Tyne Central mentioned, that the independence and expertise of Ofcom is the greatest bulwark against such entirely unfounded but legitimate concerns as those raised by the hon. Member for City of Chester, about who might be appointed by this or any Government to carry out a task in the national interest. None of us would want—and I do not suggest that the hon. Gentleman is doing this—to get into the business of questioning Ofcom’s independence in performing the tasks in question.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I am somewhat concerned at the implication of what the Minister says. We cannot put a price on national security, and Ofcom has a role. In an evidence session, Ofcom’s representatives said that although its role excludes any question of its making security decisions, it would ensure compliance, yet now the Minister seems to be saying that Ofcom will not have the skills to ensure compliance. I agree that there are specialised skills. Penetration testing, for example, is a specialised skill, but I would argue that it is a skill that Ofcom should take on as part of this new remit. I say again to the Minister that the skills needed to ensure compliance should be within Ofcom’s remit, or should be better defined.

Matt Warman Portrait Matt Warman
- Hansard - -

Ofcom itself is best placed to exercise discretion as to whether it should carry out those assessments in-house, or whether it should have the flexible capacity to have the capability brought in as necessary. Ultimately, I do not think that anyone would wish to prevent Ofcom from having the ability to do what it thinks necessary by forcing it to use in-house staff only, because we cannot predict the future, as Members on both sides of the Committee have highlighted. Although the cause that the hon. Member for City of Chester is pursuing is a noble one, its unintended consequence would be to constrain Ofcom in both the expertise that it has at its fingertips and the costs that it might incur. We would not want to limit Ofcom’s discretion to make those decisions as an independent organisation.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Actually, the amendment would not limit Ofcom’s discretion to bring in additional resources or skills. It would limit Ofcom’s discretion to Government agencies or organisations within the public sector, which, on matters of national security, we should be able to do.

Matt Warman Portrait Matt Warman
- Hansard - -

If the hon. Lady were right, the only people from whom we would have heard evidence over the last few days would have been public sector employees. She knows just as well as I do that the cyber-security sector is a vast mesh of public and private expertise, which is inevitable given that we have private networks offering communications services. Although I understand her point, and I am all for Ofcom having as much expertise as it needs to do its job properly in-house, I simply do not think that we should constrain what it can access in the way that the amendment would.

On this, I think we probably agree on far more than we would perhaps like to admit, but the reason that this is a probing amendment, as the hon. Member for City of Chester said, is because imposing artificial constraints would not be beneficial to Ofcom’s work. We understand what he said, however, and in broad terms, the Government agree.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I am grateful for the debate and for the Minister’s response, but I do not intend to press the amendment any further. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

--- Later in debate ---
When it comes to understanding the supply chains of the network providers as they are today, understanding how successfully they are evolving to become more diverse, which is a hope that we all have—a shared desire—and understanding how technological changes may be bringing in new potential areas of consolidation, monopoly provision, and single points of failure, this amendment is designed to ensure that we have greater understanding of how things are today and advance warning of the implications of changes, and I do hope that the Minister will be able to accept it.
Matt Warman Portrait Matt Warman
- Hansard - -

I will go very briefly over the diversification strategy, which is essentially a £250-million initial tranche of investment to diversify the UK network, with a focus, to a certain extent, on open RAN, as the hon. Lady said. On the information that she would require, I agree with her so comprehensively that the provision is already in the Bill. Section 135 of the Communications Act 2003, as amended by clause 12—she is right that the provision is not in this clause—provides Ofcom with the power to gather information on diversification where Ofcom considers the information necessary for the purpose of carrying out its functions. Clause 12 specifically provides that such information can include information concerning future developments of a public electronic communications network or public electronic communications service that could impact on security. As I said, I agree with her so comprehensively that we had already foreseen the issue and the provision is already in clause 12. The addition of it to this clause would not change that fact. I hope that that provides—

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for those comments. He says that the provision is already in clause 12. This is obviously down to my lack of studying, and I thought that I had studied every line of the Bill, but where specifically does clause 12 refer to diversification of supply chains?

Matt Warman Portrait Matt Warman
- Hansard - -

The approach that we have adopted across the Bill is that powers such as those in clause 12 are more than wide enough to cover exactly what is needed. What I am essentially saying, I suppose, is that the legal interpretation of clause 12 absolutely does what the hon. Lady seeks, because it is an absolutely essential part of one of the purposes of the Bill. That is why I hope she can take the necessary comfort to withdraw her amendment.

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - -

I am very happy to write to the hon. Lady to clarify why it is our belief that the Bill does that. What I would say is that the kind of specificity that she seeks would have the unintended consequence of narrowing what we do, rather than retaining the broad powers that we have in the Bill. As has been the case so often today, we do not disagree on the intent that she is seeking to obtain, and that is why the Bill is drafted as it is. As I say, I am very happy to write to her to try to clarify some of that.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

We all agree that the Minister is someone whom we like and who has the best intentions. On that basis, and on the basis that we can table further amendments at this stage or on Report if his letter of reassurance should not be sufficiently reassuring, I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Ordered, That further consideration be now adjourned. —(Maria Caulfield.)

Telecommunications (Security) Bill (Seventh sitting) Debate

Full Debate: Read Full Debate
Department: Department for Digital, Culture, Media & Sport

Telecommunications (Security) Bill (Seventh sitting)

Matt Warman Excerpts
Committee stage & Committee Debate: 7th sitting: House of Commons
Tuesday 26th January 2021

(3 years, 10 months ago)

Public Bill Committees
Read Full debate Telecommunications (Security) Act 2021 Read Hansard Text Read Debate Ministerial Extracts Amendment Paper: Public Bill Committee Amendments as at 26 January 2021 - (26 Jan 2021)
None Portrait The Chair
- Hansard -

Before we begin, I have a few preliminary points. Please switch electronic devices to silent. Tea and coffee are not allowed during sittings. I remind Members about the importance of social distancing. Spaces for Members are clearly marked. I also remind Members that Mr Speaker has stated that masks should be worn in Committee. The Hansard reporters would be grateful if Members could email any electronic copies of their speaking notes to hansardnotes@parliament.uk.

Today we continue line-by-line consideration of the Bill. The selection list for today’s sitting is available in the room. It shows how the selected amendments have been grouped for debate. Amendments grouped together are generally on the same or a similar issue. Please note that decisions on amendments do not take place in the order they are debated, but in the order they appear on the amendment paper. The selection and grouping list shows the order of debates. Decisions on each amendment are taken when we come to the clause to which the amendment relates.

Clause 6

Powers of OFCOM to assess compliance with security duties

Question proposed, That the clause stand part of the Bill.

Matt Warman Portrait The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
- Hansard - -

It is a pleasure to be back under your chairmanship, Mr Hollobone. As we discussed during the debate on amendments to this clause in our previous sitting, clause 6 inserts proposed new sections 105N to R, providing Ofcom with strengthened powers to assess whether providers of public electronic communications networks and services are complying with their security duty. These powers are vital to enable Ofcom to fulfil its expanded and more active role, giving it the tools to monitor and assess providers’ compliance with the new telecoms security framework and providing the basis for commencing any enforcement action.

Proposed new section 105O provides the power to give assessment notices to a provider. Assessment notices may impose a duty on a provider to do a number of different things, which I will briefly summarise. First, providers can be required to carry out, or arrange for another person to carry out, technical testing in relation to their network or service. Secondly, they can be required to make staff available to be interviewed, enabling Ofcom to gain insights into how a provider’s security practices and policies are implemented.

Thirdly, providers can be required to allow an Ofcom employee or an assessor authorised by Ofcom to enter their premises to view documents or equipment. I recognise that that is a significant power, but it is necessary. It is subject to certain restrictions to protect legally privileged information and to limit entry to non-domestic premises only. To provide clarity for telecoms providers, Ofcom will also publish guidance setting out how and when it will use the power. Importantly, providers have a right of appeal.

The powers of assessment set out in the clause are key to enabling Ofcom to carry out the effective and extensive monitoring and assessment of providers’ security practices that is necessary.

Chi Onwurah Portrait Chi Onwurah (Newcastle upon Tyne Central) (Lab)
- Hansard - - - Excerpts

It is a pleasure to serve under your chairmanship, Mr Hollobone, and to come back to this important Bill. I thank the Minister for writing to me and reassuring me on certain matters relevant to the clause. We accept the need for Ofcom to have powers to require information from vendors, but we would like a specific requirement whereby Ofcom can ask vendors for information on the diversity of their supply chains. I will leave further discussion on that for our new clauses. I will support this clause.

Question put and agreed to.

Clause 6 accordingly ordered to stand part of the Bill.

Clause 7

Powers of OFCOM to enforce compliance with security duties

Question proposed, That the clause stand part of the Bill.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss the following:

Clause 8 stand part.

Clause 9 stand part.

Clause 10 stand part.

Matt Warman Portrait Matt Warman
- Hansard - -

I will seek to move relatively rapidly through these four clauses.

Clause 7 provides Ofcom with enforcement powers in relation to providers’ security duties. The Bill gives Ofcom new powers to impose tough financial penalties on providers who breach their security duties. The penalties range to a maximum fine of 10% of a provider’s annual turnover, which is in line with the maximum fines available for breaching other regulatory requirements. For continuing contraventions, Ofcom can levy a daily penalty of up to £100,000. Penalties that are generally lower than that but still significant will also apply for contravening information requirements, which are subject to a maximum penalty of £10 million or, for a continuing contravention, a penalty of up to £50,000 per day. These penalties ensure that there will be a real financial deterrent to poor security practices. I should also say that, in the most serious cases, or in cases where a provider repeatedly contravenes its security duties, Ofcom would be able to use existing powers to suspend or restrict the provider’s entitlements to provide a network or service. Clearly, that is a step that we hope the regulator will never need to take.

The clause also gives Ofcom an important new power to take action where security is being compromised or is at imminent risk of being compromised. Proposed new sections 105U and 105V of the Communications Act 2003 would enable Ofcom to direct a provider to take interim steps to secure its network or service while Ofcom investigates or pursues further action. This power recognises that contravention of a security duty could result in a security compromise that causes real damage to users of that network or service. Where Ofcom uses that power, it will be required to commence and complete the enforcement process as soon as is reasonably practicable. The clause gives Ofcom the tools it needs to effectively enforce compliance with the new security framework.

Clause 8 sets out the position for bringing civil claims against providers who breach their security duties, which is a matter we touched on in earlier debates. It enables providers to be held accountable not just by Ofcom but by service users, such as members of the public, in cases where loss or damage is sustained by those users as the result of a breach of a duty. Providers owe a duty to any person who may be affected by a contravention of their security duties to take security measures, to comply with specific security duties in any regulations and to inform users of security compromises.

This clause allows any affected person to take legal action should providers breach those security duties. However, any affected person can bring legal proceedings against a provider only with the consent of Ofcom, which may be subject to conditions relating to the conduct of the legal action. This reflects the existing position in the Communications Act 2003 and ensures that providers face legal action only in appropriate circumstances. The clause also makes providers responsible to their users, providing another source of accountability. It allows users to bring legal claims for any losses they have suffered, which is only fair and reasonable.

Clause 9 addresses the interaction between provisions in the Bill and other legislation, specifically national security, law enforcement and prisons legislation. The security duties created by the Bill do not conflict with duties imposed on communications providers by other legislation via these clauses. Equally, we do not want the Bill to affect adversely the important work carried out by our law enforcement agencies, criminal justice authorities and intelligence agencies. The clause gives that clarity to providers about their responsibilities.

Finally, clause 10 requires that Ofcom publish a statement of policy about how it will fulfil its general duty and use specific powers to ensure that providers comply with their security duties. This will provide welcome clarity to industry about the expected use of important new powers. I beg to move that these clauses stand part of the Bill.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I will not detain the Committee long, as we are cracking on through the clauses. I will only emphasise that these clauses give Ofcom broad powers—very broad powers—and measures of enforcement, as well as placing duties on the network operators to all users of their network services. We support these broad powers, but it is incumbent on the Minister and indeed on the Committee to consider whether those powers will receive sufficient scrutiny, and sufficient oversight and input from our security services. We anticipate debating those particular questions in more detail later today. In the meantime, we will not stand in the way of these clauses standing part of the Bill.

Question put and agreed to.

Clause 7 accordingly ordered to stand part of the Bill.

Clauses 8 to 10 ordered to stand part of the Bill.

Clause 11

Reporting on matters related to security

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - -

I welcome the spirit of the amendment. I think that the hon. Lady and I share the same ambition. I know that she wants to have the proper debate later, so we look forward to that.

Clause 11 inserts into the Communications Act 2003 proposed new section 105Z, which deals with Ofcom’s reports on security. It requires Ofcom to produce such reports within two years of the Bill receiving Royal Assent and every 12 months thereafter. As the hon. Lady said, amendment 14 is similar to the amendment to clause 6 that we discussed previously. Ultimately, when considering Ofcom’s role and specifically its reporting function, we should note that proposed new section 105Z(2) requires Ofcom security reports to include such information and advice as Ofcom considers may best assist the Secretary of State in the formulation of policy on telecoms security. That could go beyond the list in proposed new subsection (4) to include other relevant information, such as that related to diversification. The Secretary of State can also direct Ofcom to include information that goes beyond that list.

As the Committee and, indeed, Ofcom will be well aware, the Government have recently published a targeted diversification strategy, which will deliver lasting and meaningful change in the 5G supply chain and pave the way for a vibrant, innovative and dynamic supply market. We heard widespread support for the strategy from witnesses during the oral evidence sessions. The strategy demonstrates our commitment to building a healthy supply market and is backed by a £250 million initial investment.

We have publicly announced that the Government will be funding the creation of a UK telecoms lab to research and test new ways of increasing security and interoperability, and we are already partnering with Ofcom and Digital Catapult to fund the industry-facing test facility SONIC—the SmartRAN Open Network Interoperability Centre. Both of those will play a key part in our investment in diversification and demonstrate Ofcom’s existing part in it.

As already mentioned, amendment 14 would require Ofcom to include in its security reports

“an assessment of the impact on security of”

any

“changes to the diversity of the supply chain for network equipment”.

As that requirement is already essentially covered by Ofcom’s existing powers, the amendment is not necessary. The inclusion of any such information is already within Ofcom’s discretion, but I am sure that we will discuss it more later on, as the hon. Lady said.

Clause 12 expands Ofcom’s information-gathering powers for the purposes of its security functions and enhances its ability to share the information with the Government. It enables Ofcom to require a provider to produce, generate, collect or retain security information, and then to analyse that information. Any information sought using this power must always be proportionate to how Ofcom will use it.

Clause 13 makes provision in connection with the standard of review applied by the Competition Appeal Tribunal in appeals against certain of Ofcom’s security-related decisions. Ofcom’s regulatory decisions are subject to a right of appeal to the tribunal, and that will also be the case for most of Ofcom’s decisions relating to the exercise of its regulatory powers conferred by the Bill. This clause makes provision to ensure that the tribunal is not required to modify its approach in appeals against relevant security decisions, and should instead apply ordinary judicial review principles.

I hope that I have sufficiently explained to the Committee why amendment 14 is unnecessary and why clauses 11 to 13 as drafted should stand part of the Bill.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for his comments. Although we agree on many things in many areas, I think that in this case he is trying to have his cake and eat it, inasmuch as he is saying that amendment 14 is not necessary because Ofcom already has the powers, but he is reluctant or is refusing to specify that those powers will be used for the objective of reporting on the progress of diversification of the supply chain. It was good to hear the Minister reiterate the importance of diversification of the supply chain, but I remain confused about whether he agrees with the evidence and, indeed, with his own Secretary of State that diversification of the supply chain is a prerequisite of the security of our networks and, indeed, our national security—that is what we are discussing with regard to our telecoms networks. If diversification is a prerequisite, why is the Minister so reluctant to refer to it? If he is so confident in the plan to diversify our supply chains, why is he so reluctant to insert any requirements to report on the progress of that diversification?

I listened intently: the Minister said that Ofcom has the powers to report on whatever it considers to be relevant to security. During the evidence session, we heard from Ofcom itself, very clearly and repeatedly, that it is not for Ofcom to make decisions on national security. It will not make national security decisions. That is not within its remit and responsibilities; the witnesses from Ofcom stated that repeatedly and clearly. I would be happy to read from Hansard if that point is in question. Given that Ofcom will not make security decisions and that the diversification of the supply chain is essential for security, I am at a loss to understand why the Minister will not accept a reference to reporting on the progress of diversification. Although, unfortunately, the pandemic means that we are not at full strength on the Opposition side of the Committee, I wish to test the will of the Committee on the amendment.

Question put, That the amendment be made.

--- Later in debate ---
The next five years will be key to the maturation of the technologies about which the Minister has so many hopes to help with the diversification of our supply chain and in terms of the global security and geopolitical environment and landscape, yet we have no requirement for reporting or accountability during that time. That is what the amendment is designed to change.
Matt Warman Portrait Matt Warman
- Hansard - -

I listen with interest to the points that the hon. Lady makes, and to the assertion that she is a member of the party of national security. I welcome her to this side of the House, if that is the case. [Interruption.] Thank you, but no.

As the hon. Lady says, clause 14 is a review clause requiring the impact and effectiveness of clauses 1 to 13 to be reviewed at least every five years by the Secretary of State. The review report must be published and laid before Parliament, but it is by no means the only source of parliament scrutiny, as she knows. Her amendment would increase the frequency of these reports to every year for the first five years after the Bill is passed and then every five years thereafter.

Increasing the frequency of the reports would bring its own challenges for a number of reasons. First, the framework is considerably different from the previous security regime in the Communications Act 2003. It seems to me that we will not be able fully to assess the impact and effectiveness of the new security regime instituted by clauses 1 to 13 until all parts of the framework, including secondary legislation, codes of practice and other things, have been in place for a reasonable period of time. The code of practice that will provide guidance on the detailed security measures that telecoms could take is intended to set clear implementation timelines. Some measures may require significant operational change, as we heard in the evidence sessions for telecoms providers, and we are aware that that may be costly. For that reason, we cannot reasonably expect all changes to be implemented instantly or, indeed, all necessarily at the same time.

There is a further practical difficulty with the amendment. If the first report is to be produced 12 months after Royal Assent, it will require the review to be undertaken well in advance of that deadline. That means that the report will represent an incomplete picture of the Bill’s impact, even at its very first production. Some measures will not even have been implemented by telecoms providers.

My hon. Friend the Member for Hyndburn was exactly right that the current requirement for publishing reports is at least—rather than at most—every five years. We have been deliberate in our choice of this timeframe because five years is the reasonable point by which we expect the majority of telecoms providers to have implemented most, if not all, changes. It is therefore considered appropriate to require a report on the impact and effectiveness of the framework by that time. I recognise that five years is a long time. That does not mean that the framework will be free from scrutiny in the intervening period. As clause 11(3) sets out, the Bill amends section 134B of the Communications Act so that Ofcom’s regular infrastructure reports will include information on public telecoms providers’ compliance with the new security framework. Ofcom publishes the reports annually, rendering the amendment unnecessary.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

On a point of clarification, I have the impression that the Minister anticipates that the first report under the Bill would only happen once all the requirements had been implemented. I think that that implies that it would only happen once a high-risk vendor, specifically Huawei, had been removed from the network.

Matt Warman Portrait Matt Warman
- Hansard - -

No is the short answer, because while this is a progress report, five years from 2021 is 2026—the deadline is 2027, even at the most extreme end, which is not where we anticipate it will end up—and it would be before the point that she identifies.

The infrastructure reports from Ofcom will help to provide Parliament and the public with a view on how telecoms providers are progressing with compliance with the new framework. As I alluded to earlier, they are not the only means of parliamentary scrutiny. We have the Intelligence and Security Committee and we have Select Committees. I suspect that there might be one or two debates on this matter over the next five years as well. To pretend that this is the only method of parliamentary scrutiny is not accurate.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

If the Minister will give way briefly, he may find it saves time. To clarify: for the first report we will not necessarily have to wait until all the provisions of delegated legislation associated with the Bill are in place. As for the infrastructure reports that Ofcom publishes, to which he refers as a form of alternative scrutiny, will they, might they or will they not reflect progress in the diversification of the supply chain?

Matt Warman Portrait Matt Warman
- Hansard - -

The hon. Lady asks me to predict what is in a report that has not been written yet by an organisation that is not a Government Department. I agree with the principle of what she is saying. This is an important aspect and one would reasonably expect it to be reflected in the reports that we have talked about. It is, however, important overall to say that Ofcom’s own regular infrastructure reports will, as I have said, include information on public telecoms providers’ compliance with the new security framework, which is the broadest interpretation and gives a huge amount of latitude for the sorts of information that she seeks. I hope that those infrastructure reports will help to provide Parliament with the kind of scrutiny that she seeks, and the public with the kind of scrutiny that we all seek. [Interruption.] For those reasons I hope that she will withdraw the amendment.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank my right hon. Friend the Member for North Durham for an exciting intervention from his phone, and I thank the Minister for his comments. As I think I have said, I spent six years working for Ofcom with the Communications Act 2003 on my desk. I know the importance that our independent regulator places on the words of the Minister during such debates as this. As he has indicated that the reports would do well to include reference to everything that appertains to security, including the diversification of supply chain, I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 14 ordered to stand part of the Bill.

Clause 15

Designated vendor directions

--- Later in debate ---
The Secretary of State should have access directly to the security information and should not have to go through the filter of the Cabinet Office or Ofcom. I accept the assurances that the Minister gave about Ofcom’s ability to give advice and work closely with the security services, and these are probing amendments. I am interested in what he says about how we can ensure that when the Secretary of State takes a decision, national security is at its heart, and that he or she got it straight from the horse’s mouth—in other words, from the security services—rather than its being filtered through the membrane that sometimes exists in Whitehall.
Matt Warman Portrait Matt Warman
- Hansard - -

I thank the right hon. Gentleman for his contribution to the debate. He has talked so much about my impermanence that I felt lucky to come back today, never mind any time in the future. He makes a reasonable point, with which I broadly sympathise. As this is a broad grouping that covers clauses 15 and 16 and the amendments to clauses 15, 16 and 17, I will discuss the policy intention behind the clauses in sequence, and address the amendments.

As the right hon. Gentleman said, it is obviously an opportune moment to pay tribute to the heroic work of our national security services. The Bill emphasises the importance of their advice, and it empowers the Government to manage the presence of high-risk vendors in our networks. The report to which he refers is important, but it is also important to say that it was published, as he said, in 2013. It related almost entirely to events that took place under Labour, and it predates the existence of the National Cyber Security Centre, so we are dealing to some extent with a different world. I will go into a bit of detail on that.

As the right hon. Gentleman knows, the Government announced in January last year that new restrictions should be placed on the use of high-risk vendors in the UK’s 5G and full-fibre networks. In July 2020, the Government worked with the NCSC to update the guidance following action taken by the US Government in relation to Huawei. Clauses 15 to 17 provide the principal powers that the Government need to manage the risks posed by high-risk vendors. Without such powers, the guidance issued to industry will remain unenforceable and therefore present a risk to national security.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

I accept what the Minister says about the report, but its key point was that civil servants basically decided not to tell Ministers. On his explanation and the way forward, or what has changed since, how can we avoid a situation whereby Cabinet Office civil servants take the decision not to tell Ministers? How can we ensure that that will not happen again?

Matt Warman Portrait Matt Warman
- Hansard - -

In short, the right hon. Gentleman is challenging the fundamental effectiveness of Government and the judgments that were made by officials at the time. I simply say that it is the duty of Government to ensure that such errors are not made in future. That cannot be done solely by legislative means; it must be done by custom and practice. The right hon. Gentleman understands, through his work on the ISC, that the role of those close working relationships is in some ways far more important in the day-to-day security issues that we are dealing with. Perhaps we can return to that point later.

The Bill will allow the Secretary of State to issue designated vendor directions, imposing controls on the use of goods, services or facilities that are supplied, provided or made available by designated vendors. The Secretary of State may issue such directions only where it is necessary to do so in the interests of national security and proportionate to the aims sought to be achieved.

Amendment 16, which would amend clause 15, seeks to place a statutory requirement on the Secretary of State to take into account advice from our intelligence services when considering whether to issue a designated vendor direction. Amendment 17, which would amend clause 16, seeks to place a similar requirement when considering a designation notice.

I should reassure hon. Members that the Secretary of State, as the right hon. Member for North Durham knows, has every intention of seeking the advice of our security and intelligence services, as would any Secretary of State, in particular the NCSC, when considering whether to issue a designated vendor direction or designation notice.

It is also worth saying, from a scrutiny point of view, that the Department for Digital, Culture, Media and Sport maintains an excellent relationship with the NCSC. We are scrutinised by the Select Committee on Digital, Culture, Media and Sport and I have appeared before the Intelligence and Security Committee, as the right hon. Gentleman knows. There are many examples in the Bill where the NCSC’s expert advice has been taken into account.

The UK telecoms supply chain review, on which the Bill is based, was the product of the close working relationship between the Department for Digital, Culture, Media and Sport and the NCSC. In a sense, that close working relationship demonstrates that matters have moved on substantively since 2013.

I draw hon. Members’ attention to the illustrative notices that we published in November last year. The NCSC was closely involved in the drafting of those illustrative notices. It will also be involved in the drafting of direction and designation notices once the Bill has been enacted . Given the demonstrable success of our collaboration with the NCSC thus far, I hope that the right hon. Gentleman will be satisfied with that explanation, although I appreciate that he introduced a probing amendment.

Clause 15 would create the new power for the Secretary of State to issue designated vendor directions to public communications providers, in the interests of national security. Although clauses 15 and 16 are distinct, they are complementary. Directions cannot be issued without identification of a designated vendor and designations have no effect unless directions are given to public communications providers. Clause 15 inserts new sections 105Z1 to 105Z7 into the Communications Act 2003 and amends section 151 for that purpose.

The clause will enable the Government’s announcements in 2020 on the use of high-risk vendors to be given legal effect. Those announcements include advice that require a public telecoms provider to exclude Huawei from their 5G networks by 2027, and stop installing new Huawei goods, services or facilities in 5G networks from September 2021. It will also enable the Government to address risks that might be posed by future high-risk vendors, helping to ensure our telecoms networks are safe and secure.

Proposed new section 105Z1 sets out the direction power. It would allow the Secretary of State to give a designated vendor direction to a provider, imposing requirements on their use of goods, services or facilities supplied by a specified designated vendor. Proposed new section 105Z2 provides further details on the types of requirements that may be imposed in a designated vendor direction. Proposed new section 105Z3 sets out the consultation requirements and expectations for public communications providers. Proposed new section 105Z4 sets out a requirement for the Secretary of State to provide a copy of a direction to the designated vendor or vendors, specified in a direction and, hence, affected by it. Proposed new sections 105Z5 and 105Z6 set out when and how the Secretary of State may vary or revoke a direction. Lastly, 105Z7 enables the Secretary of State to require a public communications provider to provide a plan setting out the steps that it intends to take to comply with any requirements set out in a direction and the timings of those steps.

Although the Government have made specific announcements on Huawei, the high-risk vendor policy has not been designed around one company, country or threat. The designated vendor direction power, as set out in these provisions, is intended to be an enduring and flexible power, enabling the Government to manage the risks posed to telecoms networks both now and in the future.

Clause 16 includes a non-exhaustive list of matters to which the Secretary of State may have regard when considering whether to issue a designation notice. Amendment 18 seeks to amend that clause by adding a person’s control of data flows to the list of matters to which the Secretary of State may have regard. However, nothing in the clause prevents the Secretary of State from considering control of data flows before issuing a designation notice already, if the matter were deemed relevant to the assessment of national security. It is already covered and so is not required as a stand-alone measure.

The clause creates a power for the Secretary of State to issue a designation notice, which designates a vendor for the purposes of issuing a designated vendor direction. Proposed new section 105Z8 is the principal measure of the clause, and sets out the power for the Secretary of State to designate specific vendors where necessary in the interests of national security. A designation notice must specify the reasons for designation unless the Secretary of State considers that doing so would be contrary to the interests of national security. The proposed new section also lists the primary factors that may be taken into account by the Secretary of State when considering whether to designate a vendor on national security grounds.

Finally in this group, amendment 19 would require the Secretary of State, when laying a designation noticed before Parliament, also to lay before Parliament a report detailing the impact that the designation notice might have on the diversity of the UK’s telecoms supply chain. The effect of the amendment would be to require the Secretary of State to lay a report purely on the impact of the designation notice, but a designation notice simply notifies vendors that the Government consider them a risk to national security.

Only when the designation notice is issued alongside a designated vendor direction are controls placed on the use of a designated vendor’s goods, services and facilities by public communication providers, so it is those controls that might have an impact on the diversity of the supply chain. I can reassure the Committee that the Government will consider the diversity of the supply chain before issuing designation notices and designated vendor directions. A lack of diversity is in itself a risk to the security of a network. I hope that answers the question that the hon. Member for Newcastle upon Tyne Central asked in regard to an earlier amendment. It is right that the Government consider that risk before deciding whether to issue designation notices and designated vendor directions.

To conclude, clauses 15 and 16 provide us with the ability to improve the security of our telecommunications networks and to manage the risks relating to high-risk vendors, both now and in the future.

--- Later in debate ---
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Thank you for the clarification, Mr Hollobone. I see that we are discussing whether clauses 15 and 16 stand part. I support those clauses and look forward to the Minister’s response to the amendment.

Matt Warman Portrait Matt Warman
- Hansard - -

I pre-emptively covered a lot of the hon. Lady’s questions, but I will say two brief things. She talked about consolidation in the cloud sector. While the Bill is very much a national security Bill, the National Security and Investment Bill would cover consolidation in that sort of sector, rather than this one. Obviously they do work together.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

The point I am making—clearly, I did not make it effectively—is that that sector is becoming this sector. The cloud sector is becoming the telecoms sector. The reason we need this Bill in addition to the National Security and Investment Bill is to address the security concerns of the telecoms sector specifically. The cloud sector is becoming part of the telecoms sector, yet the Bill does not address those concerns.

Matt Warman Portrait Matt Warman
- Hansard - -

The hon. Lady is not wrong, obviously, in the sense that there is a potential conversation to be had about when a cloud provider is a telecoms provider and vice versa, if I can put it like that, although it is not the most elegant way of doing so. However, the point is that the reason we have comprehensive coverage of the landscape is because we have both the National Security and Investment Bill, which she debated recently, and this Bill. The broad powers that she described are intended to provide precisely that sort of coverage.

Similarly, the hon. Lady referred to the length of the list in clause 16 of matters that can be taken into consideration. That relates to the point I made previously, namely that the sorts of issues that she is talking about, such as data flows, are already covered in the long list. The list is as long as it is because it is intended to look to the future. Therefore, being prescriptive in the way that she describes is fundamentally unnecessary. We are not excluding what she wants to be on the list. A matter is already very much there if it is pertinent to national security. For that reason, I do not think there is a compelling case to add that single topic to the list, both because it is already there and because if we start going down that route, we could make the case for adding a host of other things that are already covered but that people might want to be mentioned specifically.

As I said earlier on the convergence of the two sectors, the point is that we have comprehensive coverage through both Bills. It will be for the NCSC, Ofcom and the Government to make a judgment as to whether any consolidation in a sector poses a national security risk.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 15 ordered to stand part of the Bill.

Clause 16 ordered to stand part of the Bill.

Clause 17

Laying before Parliament

--- Later in debate ---
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Thank you, Mr Hollobone. It is sometimes confusing to know exactly what is being discussed at what point. With that, I ask the Minister to respond to our concerns about the scrutiny of the powers in the clause.

Matt Warman Portrait Matt Warman
- Hansard - -

I welcome the second salvo in the campaign to address this matter by the right hon. Member for North Durham. He said it would be an ongoing campaign.

This group of amendments would require the Secretary of State to provide information relating to a designated vendor direction or designation notice to the ISC. The amendments would require the Secretary of State to do this only where directions and designation notices had not been laid before Parliament, whether in full or in part, as a result of the national security exemptions in clause 17. It will not surprise the right hon. Member for North Durham or other Opposition Members that some of these short remarks will overlap with the conversation that we had earlier on a similar matter.

Amendment 20 would require designated vendor directions or designation notices to be provided to the ISC. Amendments 22 to 25 would require the Secretary of State also to provide the ISC with copies of any notifications of contraventions, confirmation decisions and so on. Although I recognise some Members’ desire for the ISC to play a greater role in the oversight of national security decision making across government, including in relation to this Bill, the amendments would, as the right hon. Member for North Durham knows, extend the ISC’s role in an unprecedented way. None the less, I thank his welcome for my unprecedented appearance.

As I said in the debate on amendment 9, the ISC’s primary focus is to oversee the work of the security and intelligence agencies. Its remit is clearly defined in the Justice and Security Act 2013, and the accompanying statutory memorandum of understanding, to which the right hon. Gentleman referred. I do not think he thinks it is my place to take a view on that role, and I do not think this Bill is the place to have that debate.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

Yes, but I would ask the Minister’s civil servants to read the Act before they write this stuff for him. The Act refers to “intelligence”. Our remit is not fixed by a Department. I know the Minister sympathises with this and that we will get there eventually, but I say to his civil servants, please read the Act.

Matt Warman Portrait Matt Warman
- Hansard - -

I will come on to that. Accepting any of these unilateral amendments to this Bill is not the appropriate place to achieve an overall enhanced role for the ISC—

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

I am sorry to say to the Minister that it is not looking for an enhanced role at all. It is actually doing what it says in the Justice and Security Act 2013. It is about scrutinising intelligence. A lot of the information, which will be used by him and others in these orders, will be derived from the same decisions that we oversee .

Matt Warman Portrait Matt Warman
- Hansard - -

Absolutely. Members of the Committee should note that in exercising the powers created by this Bill, the Secretary of State will be advised by the NCSC on relevant technical and national security matters. The NCSC’s work already falls within the Intelligence and Security Committee’s remit, so the right hon. Gentleman has found his own salvation.

In that context, the amendment seems to duplicate that existing power, while also seeking to do something that is better done in reform of a different Act, if that is what the right hon. Gentleman seeks. I am sorry to disappoint him again. I think he knew already that I would do that, but I look forward to his third, fourth and fifth salvos in his ongoing campaign.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I hear the Minister’s explanation, which we have been over before when considering other amendments. He talks about other salvos by my right hon. Friend the Member for North Durham. I go back to the statement that my right hon. Friend made last week, which is that he expects that at some point something will happen and we will move forward.

Telecommunications (Security) Bill (Eighth sitting)

Matt Warman Excerpts
None Portrait The Chair
- Hansard -

With this it will be convenient to discuss clauses 19 to 23 stand part.

Matt Warman Portrait The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
- Hansard - -

It is a pleasure to be back under your chairmanship, Mr McCabe.

I will try to rattle through these as quickly as I can. Clauses 18 to 23 cover monitoring and enforcement, and further provisions relating to non-disclosure and information requirements. Clause 18 gives the Secretary of State the power to give Ofcom a monitoring direction, requiring the regulator to obtain information relating to a public telecoms provider’s compliance with a designated vendor direction and to provide that information in a report to the Secretary of State.

The clause also includes requirements about the form of such reports and the procedures around their provision, but it does not create any new powers for Ofcom, which already has them under section 135 of the Communications Act 2003. The provisions in the clause are an integral part of the compliance regime. The power to give a monitoring direction to Ofcom is necessary to ensure that the Secretary of State has the ability to require it to provide the information needed to assess compliance with designated vendor directions.

Clause 19 provides Ofcom with the power to give inspection notices to public communications providers. The provisions will apply only where the Secretary of State has given Ofcom a monitoring direction. Inspection notices enable Ofcom to gather information from communications providers in relation to their compliance with a direction. The notices are a tool for Ofcom to give effect to its obligations under a monitoring direction.

Clause 19 also sets out the new duties that inspection notices can impose, the types of information that they can be used to obtain and how the duties in an inspection notice will be enforced. Ofcom may only give inspection notices in order to obtain information relating to whether a provider has complied or is complying with a direction. The notice power cannot be used to obtain information relating to whether a provider has complied or is complying with a direction. The notice power cannot be used to obtain information relating to how a provider is preparing to comply with a direction. Ofcom can instead use its other information-gathering powers under section 135 of the Communications Act 2003 to obtain such information.

Clause 20 provides the Secretary of State with the powers necessary to enforce compliance with designated vendor directions, as well as with any requirement for a public communications provider to prepare a plan setting out the steps it intends to take to comply. It is the Secretary of State’s responsibility to issue directions where necessary in the interest of national security. Clause 20 is essential to ensure that the Secretary of State can carry out this role effectively and enforce compliance with any directions issued. New sections 105Z18 to 105Z21 will be inserted into the Communications Act 2003 for this purpose. The provisions set out the process that the Secretary of State will follow in instances where an assessment is made that a public communications provider is not acting in compliance with the direction or with the requirement to provide a plan. The process encompasses giving a contravention notice, enforcing it and imposing penalties for non-compliance. The clause is essential in ensuring that the Secretary of State can carry out the role effectively and deters and penalises instances of non-compliance.

Clause 21 provides the Secretary of State with the power to give urgent enforcement directions. Provisions to enable urgent enforcement are needed in cases where the Secretary of State considers that urgent action is necessary to protect national security or to prevent significant harm to the security of a public electronic communications network, service or facility.

Clause 22 creates a power for the Secretary of State to impose a requirement on public communications providers or vendors not to disclose certain types of information without permission. The provisions are necessary to prevent the unauthorised disclosure of information, which would be contrary to the interest of national security.

Finally, clause 23 creates a power for the Secretary of State to require information from a public communications provider or any other person who may have information relevant to the exercise of the Secretary of State’s functions under clauses 18 to 21. For example, the Secretary of State can require information on a provider’s planned use of such goods or information relating to how a network is provided. It can also include information about the proposed supply of goods or services. The ability to gather such information would ensure that the Secretary of State is able to make well-informed decisions when considering whether to issue designation notices and designated vendor directions. Information obtained through the use of this power can also be used to support the monitoring of compliance, with directions supplementing information gathered by Ofcom through its information-gathering and inspection notice powers.

To summarise, new sections 105Z18 to 105Z21 together establish the power and processes that outline how the designated vendor regime will be monitored and enforced. The provisions in clause 22 are needed to manage the disclosure of information, the unauthorised disclosure of which may be contrary to national security, and clause 23 will ensure that the Secretary of State is able to obtain the information necessary to make assessments to determine whether to give a notice or direction and to assess compliance.

Chi Onwurah Portrait Chi Onwurah (Newcastle upon Tyne Central) (Lab)
- Hansard - - - Excerpts

It is a pleasure to serve under your chairmanship once again, Mr McCabe. I will not detain the Committee long with a consideration of the clauses, and I thank the Minister for so ably setting out what the clauses aim to achieve. Indeed, we on this side recognise the importance and the necessity of clauses 18 to 23 in establishing the process and ensuring the powers to obtain information and enforce direction as part of that process.

We only reiterate a small number of important points to draw attention once again to the breadth of the powers, which enable the Secretary of State to require information to an almost unlimited extent. Given the breadth of the powers, the information and progress on the telecommunications diversification strategy is, once again, notable by its absence. Given the breadth of the requirements, it is notable that there is nothing on progress on the diversification strategy. Nor, if my memory serves me correctly, does the impact assessment reflect the potential costs to either the network operators or Ofcom in exercising these powers. The clauses do not set out the impact and they emphasise once again the importance of Ofcom having the appropriate resources to enable it to carry out the requirements effectively. I hope that the Minister will bear those limitations in mind in his ongoing review of the Bill.

Question put and agreed to.

Clause 18 accordingly ordered to stand part of the Bill.

Clauses 19 to 23 ordered to stand part of the Bill.

Clause 24

Further amendment concerning penalties

Question proposed, That the clause stand part of the Bill.

None Portrait The Chair
- Hansard -

With this it will be convenient to discuss clause 25 stand part.

Matt Warman Portrait Matt Warman
- Hansard - -

Clause 24 enables higher penalties than those currently set out in the Communications Act 2003 to be issued by Ofcom, and clause 25 makes two necessary consequential amendments to that Act. The penalties under clause 24 can be imposed for contraventions of requirements to provide information to Ofcom for the purpose of its security-related functions. That includes when providers do not provide information requested by Ofcom for the purpose of providing a report to the Secretary of State.

Penalties can be set at a maximum of £10 million or, in the case of a continuing contravention, up to £50,000 a day. These maximum penalties are a marked increase on the existing ones, which are capped at £2 million, or £500 a day. This clause ensures that the maximum penalties are the same as those in clause 23. The size of these penalties is appropriate given the potential impact of the situation described. Proposed new section 139ZA(5) of the 2003 Act, inserted by this clause, gives the Secretary of State the power to change, by regulations subject to the affirmative procedure, the maximum amount of the fixed and daily penalties. That will help to future-proof the framework by ensuring that penalties can be adjusted over time—for example, because of inflation.

In summary, clause 24 enables Ofcom to issue the financial penalties necessary to ensure that providers supply it with the information that it needs. Clause 25 contains the consequential amendments to that, which are necessary because the Bill creates a number of powers to make regulations and some of those regulations will amend primary legislation.

--- Later in debate ---
None Portrait The Chair
- Hansard -

With this it will be convenient to discuss the following:

Clause 27 stand part.

Government amendments 1 to 4.

Clauses 28 and 29 stand part.

Matt Warman Portrait Matt Warman
- Hansard - -

I will be brief, but it is important to cover the Government amendments. The clause provides that any increase in expenditure attributable to the Bill is paid out by Parliament. Clause 27 covers the extent of the Bill and clause 28 provides for the commencement of the Bill’s provisions.

I turn to the small set of amendments that the Government deem necessary, given that the Bill will be carried over to the second Session. The Bill creates new national security powers for the Secretary of State to address the risks posed by high-risk vendors through the issuing and enforcement of designated vendor directions in clauses 15 to 23 and 24. Amendment 1 enables clauses 15 to 23 to come into force on the day on which the Bill receives Royal Assent. Amendment 2 ensures that the higher penalties also come into force. Amendment 3 removes the subsection of clause 28 providing for sections to come into force at the end of the two-month period. Finally, amendment 4 ensures that the provisions of clause 24 that are not commenced early come into force via commencement regulations on a day determined by the Secretary of State. Without the amendments, the provisions relating to those powers would come into force two months after the Bill receives Royal Assent, which could put at risk the timely implementation of this important policy.

Question put and agreed to.

Clause 26 accordingly ordered to stand part of the Bill.

Clause 27 ordered to stand part of the Bill.

Clause 28

Commencement

Amendments made: 1, in clause 28, page 46, line 19, leave out “section 14” and insert “sections 14 to 23”.

This amendment would cause clauses 15 to 23 to come into force on Royal Assent.

Amendment 2, in clause 28, page 46, line 19, at end insert—

“(ca) section24, so far as it relates to section18;”.

This amendment is consequential upon Amendment 1. Clause 24 provides for higher penalties to be available for certain contraventions of information requirements, including contraventions associated with section 105Z12 of the Communications Act 2003, which is inserted by clause 18.

Amendment 3, in clause 28, page 46, line 25, leave out subsection (2).

This amendment is consequential upon Amendments 1 and 2.

Amendment 4, in clause 28, page 46, line 30, at end insert—

“(ba) section 24 (so far as not already in force by virtue of subsection (1));”.(Matt Warman.)

This amendment is consequential upon Amendments 1 and 2.

Clause 28, as amended, ordered to stand part of the Bill.

Clause 29 ordered to stand part of the Bill.

New Clause 3

Duty of Ofcom to report on its resources

‘(1) Ofcom must publish an annual report on the effect on its resources of fulfilling its duties under this Act.

(2) The report required by subsection (1) must include an assessment of—

(a) the adequacy of Ofcom’s budget and funding;

(b) the adequacy of staffing levels in Ofcom; and

(c) any skills shortages faced by Ofcom.’.—(Christian Matheson.)

This new clause introduces an obligation on Ofcom to report on the adequacy of their existing budget following the implementation of new responsibilities.

Brought up, and read the First time.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I beg to move, That the clause be read a Second time.

--- Later in debate ---
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

As always, my right hon. Friend raises a good point. Having worked for a quango, I had clear insight into the line between independence and dependence, and into the importance of the political will of the Government, regardless of supposed independence. Equally, I saw how any regulator or supposedly independent organisation can be used as a shield for Ministers who do not want to take responsibility.

My right hon. Friend also raises a good point about the hollowing out of capacity in Government Departments. A consequence of 10 years of austerity and cuts is that DCMS and other Departments do not have the capability, capacity or resources that they previously might have enjoyed. I will point out to the Minister the example of the Government’s misinformation unit. It has no full-time employees and is supposed to exist using resources already in the Department—for something as critical now, with the vaccine roll-out, as disinformation.

My right hon. Friend is right to emphasise that given the relationship between the Government and Ofcom, which is an independent regulator, and given the increase in responsibilities that the Bill represents at a time when other responsibilities are also being added to Ofcom, the Minister cannot have it both ways. He cannot have no visibility when it comes to Ofcom’s resources and capacity while giving it yet more responsibility. In fact, this seems to be responsibility without accountability. I hope the Minister will take on board the suggestions in new clauses 3 and 7.

Matt Warman Portrait Matt Warman
- Hansard - -

I thank the hon. Lady for her contributions. To address her central point, it would not be possible for Ofcom to meet the duties Government have tasked it with without addressing the foundational issue of security. It is important that we bear in mind that that is not an exhaustive list, but security will always be a foundational point.

The new clauses would require the Secretary of State to lay a report before Parliament within 12 months of Royal Assent. New clause 3 would require Ofcom to publish an annual report on the adequacy of its budget, resourcing and staffing levels in particular.

As the Committee is aware, the Bill gives Ofcom significant new responsibilities. Ofcom’s budget is approved by its independent board and must be within a limit set by the Government. Clearly, given the enhanced security role that Ofcom will undertake, it will need to increase its resources and skills to meet these new demands. As such, the budget limit set by the Government will be adjusted to allow Ofcom to carry out its new functions effectively. This is of a piece with the direction of travel we are going in. In 2012, Ofcom had 735 employees. Last year, it had 937 employees, so as its remit has expanded, so has its headcount. That will continue to be reflected in the level of resourcing that it will be given.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

Budget allocations can go down as well as up and there might be a future Government who are not quite as generous as past Governments have been. What guarantee can the Minister offer us that without some kind of reporting, such as that we propose, Ofcom’s budget will not be frozen or, indeed, reduced?

Matt Warman Portrait Matt Warman
- Hansard - -

Ultimately, a mechanism already exists by which Parliament is able to scrutinise Ofcom’s resourcing. Ofcom is required under the Office of Communications Act 2002 to publish an annual report on its financial position and other relevant matters. That report, which is published every March—I am sure the hon. Gentleman is waiting with bated breath for the next one—includes detail on Ofcom’s strategic priorities as well as its finances, and details about issues such as its hiring policies.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

I am intrigued. The Minister says Ofcom already has over 900 people, and it is obviously going to have to grow. How big is DCMS? We basically have a mini-Department here.

Matt Warman Portrait Matt Warman
- Hansard - -

The right hon. Gentleman asks me a question that I may be able to answer in a moment, depending on a number of factors. As for the thrust of his question, Ofcom is ultimately a serious regulator that has the resourcing to do a serious job. The right hon. Gentleman would be criticising us if it had fewer people, so he cannot have his cake and eat it by criticising the fact it has enough to do the job—but I think he is going to have a go.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

Quite the opposite. This just reinforces my point about quangos. If we reach a situation where quangos are bigger than the sponsoring Department it is perhaps best to keep things in-house rather than having arm’s length quangos and the nonsense behind which we hide in this country about so-called independence.

Matt Warman Portrait Matt Warman
- Hansard - -

The reality is that the relationship between Government Departments and regulators is very often incredibly close, but independence is an important part of regulation. Although the right hon. Gentleman makes a reasonable point about the optimal size for in-house expertise versus external expertise, it is getting the balance right between Ofcom, the National Cyber Security Centre and DCMS that this Government and the reporting measures we already have are fundamentally committed to providing.

The right hon. Gentleman talked about Ofcom’s resourcing. Ofcom will not be making decisions on national security matters, as we have said repeatedly, but it will to be responsible for the regulation around these issues. As the right hon. Gentleman said, the Intelligence and Security Committee has shown great interest in how Ofcom is preparing for its new role.

As for the point about disclosure and resources, I would be happy to write to the ISC to provide further details in the appropriate forum about Ofcom resourcing and security arrangements. This could include information that cannot be provided publicly, including information about staffing, IT arrangements and security clearances of the sort that we have discussed. I hope that Opposition Members understand that that is the appropriate forum to provide reassurance and to satisfy the legitimate requirements of public scrutiny on this issue.

Matt Warman Portrait Matt Warman
- Hansard - -

How to choose?

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

My hon. Friend is the shadow Minister.

Matt Warman Portrait Matt Warman
- Hansard - -

I give way to the hon. Lady.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for giving way and for the tone of his response to the different points we made. I will leave the reassurance about writing to the ISC to my right hon. Friend the Member for North Durham. Does the Minister recognise that that does not address the issue of Ofcom’s resources and reporting more generally, particularly lower down the pipeline, when it comes to national security? We have emphasised again and again the breadth of powers. The Minister has said that Ofcom will have the discretion, for example, to require an audit of all operators’ equipment—an asset register audit. It will take significant resource to understand the audit when it comes back. There are significant resource requirements involved that do not necessarily require security clearance but are nevertheless essential to effective security, and the Minister does not really seem to be offering reassurance on those.

Matt Warman Portrait Matt Warman
- Hansard - -

I would say that there is a sensible place to put some of that information, which is the communication to the ISC that I have offered, and there is a sensible place to put other information, which is the annual reporting that already exists. Hopefully the hon. Lady can find some comfort in the fact that both the information that cannot be shared publicly and the information that can will be subject to an appropriate level of parliamentary and public scrutiny.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

I simply want to welcome the Minister’s comments, and the fact that he has recognised that the Intelligence and Security Committee is the appropriate place to discuss these matters, which, of course, cuts across other clauses that the Committee has already considered. He might bear that in mind on Report.

Matt Warman Portrait Matt Warman
- Hansard - -

I thank the hon. Gentleman for that intervention. I hope that now that I have given those various reassurances, hon. Members are appropriately comforted.

Everyone is waiting for the headcount of DCMS; I am assured that it is 1,304 people, some 300 more than that of Ofcom. I do not know whether that makes the right hon. Member for North Durham happier or more sad.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

According to the website that I have looked at, the figure is 1,170, so it has obviously increased slightly. Still, it makes Ofcom with its new responsibilities nearly as big as, if not bigger than, the sponsoring Department.

Matt Warman Portrait Matt Warman
- Hansard - -

We can discuss the optimal sizes of quangos and Departments outside this room. However, the right hon. Gentleman is obviously right that Government Departments and regulators need the resources they require to do their job properly. I hope that by describing the various mechanisms I have provided hon. Members with the reassurances they need to withdraw the new clause.

Christian Matheson Portrait Christian Matheson
- Hansard - - - Excerpts

First, I owe you an apology, Mr McCabe; so keen was I to crack on with the consideration of the Bill that I did not say how great a pleasure it was to serve yet again under your chairmanship. I should have done so at the outset and I apologise.

I am grateful to the Minister for his response. I am looking to the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, for a little guidance. It could well be that we might want to serve a little bit longer under your chairmanship, Mr McCabe, by testing the views of the Committee on new clause 3, if we may.

Question put, That the clause be read a Second time.

--- Later in debate ---
I know that the Minister is reluctant to add to the duties of Ofcom. He will probably say that Ofcom could do this if it wanted to. I reiterate that Ofcom has a lot of things that it could or should do, and would do, but it does not have as a principal duty ensuring the forward-looking security of our networks. The new clause will ensure that that is regularly considered by Ofcom and that Parliament can exercise adequate and effective scrutiny. It would also contribute greatly to the ability of Ofcom and the National Cyber Security Centre to work together effectively, as they would to produce such a report. I hope the Minister will support the provisions of the new clause.
Matt Warman Portrait Matt Warman
- Hansard - -

As the hon. Lady said, we have addressed various issues relating to the new clause in previous debates. It is important to stress that Ofcom has the resources that it needs. She talked about its ability to face the future, but in our evidence sessions, we talked to Simon Saunders, the director of emerging technology. I know she does not wish to suggest that Ofcom does not do this already, but demonstrably it is already proactively engaged in horizon scanning.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

Speaking as someone who was head of technology at Ofcom, I am aware that it engages in horizon scanning. I am sure the Minister will come on to this, but while there might be horizon scanning to understand how markets evolve and what level of competition may be seen in new markets in the future, the new clause deals specifically with horizon scanning for security and security threats. I am sure the Minister will focus on that.

Matt Warman Portrait Matt Warman
- Hansard - -

It is important to say that we have amended section 3 of the Communications Act 2003, to which the hon. Lady alluded, so that Ofcom must have regard to the desirability of ensuring the security and availability of networks and services, so that should be incorporated into the horizon scanning work.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

This is an important point. I do not think the 2003 Act has been amended, since I had it reprinted a week ago. We were talking about the principal duties. Under section 3, Ofcom has about two and a half pages of duties that it needs to carry out, but only two principal duties. Those principal duties do not mention security.

Matt Warman Portrait Matt Warman
- Hansard - -

The hon. Lady is right, but as of 31 December 2020, section 3(4) states:

“OFCOM must also have regard, in performing those duties, to such of the following as appear to them to be relevant in the circumstances…the desirability of ensuring the security and availability of public electronic communications networks and public electronic communication services”.

It is absolutely there, but I fear we are getting into a somewhat semantic argument.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

The Minister is generous in supporting this back and forth in debate. I will close by pointing out that the duty to which he refers is one of 13 duties, so it can hardly be considered a priority. To put it more fairly, to ensure that it is a principal priority, it would need to be elevated.

Matt Warman Portrait Matt Warman
- Hansard - -

I think an organisation of 937 people can cope with 13 priorities. On one level, however the hon. Lady makes a reasonable point, and it is not one that we disagree with. Security has to be absolutely central to the work that Ofcom will do.

I will not restate the points I have made about how seriously we take the Intelligence and Security Committee and how seriously we will continue to take it. We will continue to write to the Committee on topics of interest as they arise and we are happy to continue to co-operate in the way that I have done; however, as I said in the debate on amendment 9, the primary focus of the ISC is to oversee the work of the security and intelligence agencies, and its remit is defined in the Justice and Security Act 2013. Amending the Bill to require regular reporting to the ISC, as proposed by the new clause, would risk the statutory basis of the ISC being set out across a range of different pieces of legislation.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

Will the Minister give way?

Matt Warman Portrait Matt Warman
- Hansard - -

Earlier, the right hon. Gentleman was suggesting that it was the memorandum of understanding that he would like to see amended. Now he seems to be suggesting that we should insert the new clause, which will not change the memorandum of understanding.

Lord Beamish Portrait Mr Jones
- Hansard - - - Excerpts

No, I said in an earlier contribution that if it were done by the memorandum of understanding, I would be quite happy. I know the Minister is limited in the number of civil servants he has beneath him compared with Ofcom, but will he go away and read the Justice and Security Act 2013? It talks about Departments, but it also talks about intelligence more broadly, which is covered by the memorandum of understanding. I do not know why he is pushing back on this issue; it may be because of the Cabinet Office, which has more civil servants than he has. I suggest that we will win this one eventually.

Matt Warman Portrait Matt Warman
- Hansard - -

That may well be the case, but the right hon. Gentleman is not going to win it here—that is the important point to make. It is right not to try to address this issue in the new clause, but the Government will continue to take very seriously the work of the ISC, as he would expect.

Additionally, the new clause is designed to require Ofcom to provide annual reports to the ISC, which would, as the right hon. Gentleman knows, be particularly unusual in the context of the work of the Committee, as Ofcom will not be making judgments about the interests of national security under the Bill, or as part of its wider function. Ofcom’s role as regulator seems not to be something that comes under the purview of the ISC, even if I understand the broader point. As I said earlier, however, the NCSC is very much under the purview of the ISC, and there are plenty of opportunities for the Committee to interrogate the work of that excellent agency. I am sure the Committee will continue to take up such opportunities with vigour, but as I have said before, it would not be right to seek to reframe the remit of the ISC through the new clause. I ask the Opposition to withdraw it.

Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

I thank the Minister for his comments and for engaging so readily in debate. I have to say that we feel very strongly about the new clause, both for parliamentary scrutiny and for ensuring that Ofcom is looking forward and assessing future threats. With bated breath, I wish to test the will of the Committee on the new clause.

Question put, That the clause be read a Second time.

--- Later in debate ---
A decade of neglect of our telecoms infrastructure has left us vulnerable and created the need for this Bill. We support the Bill, but it is clear that to protect our national security now and in future we must have an effective network supply chain diversification strategy, plan and implementation. New clause 6 would ensure that this vital aspect of our telecoms security is regularly reviewed and scrutinised, so that the UK is never again forced to choose between technological progress and national security.
Matt Warman Portrait Matt Warman
- Hansard - -

The hon. Lady raised an important issue. Fundamentally, however, the issue of diversification is twofold. The Government want to see greater diversification within our telecoms supply chain. The £250 million allocated for the first three years of that programme to support the diversification strategy is a hugely important part of it.

As we are already seeing in the increased use of open RAN, whether with Vodafone in Wales or the NeutrORAN project with the NEC, there is already significant progress. I think that demonstrates that the industry does regard this—whether the hon. Lady wants to call it as an incentive or a carrot—as something that is making things happen to a greater extent. The Government cannot legislate for the diversification of the market; that is something that we can incentivise and work with the market to do.

We can monitor the diversity of networks, as Ofcom has the powers to do. We can set requirements on what the minimum standards might look like. For instance, NCSC guidance already says that two vendors should be the minimum, rather than one, for a telecoms network. That gives you an indication of what we will be monitoring and looking at, potentially, in codes of practice in the future. The hon. Lady is right to focus on this important issue, but it is wrong to pretend, important though Secretaries of State are, that any Secretary of State could legislate in the way she describes for the greater diversification that we all seek.

The focus of the Bill is on setting clear and robust security standards for our networks that telecoms providers must adhere to, and they must be met regardless of the diversity within any of those networks. To be fair, the diversity within a provider’s supply chain, in and of itself, does not offer the guarantee of network security. A provider using a diverse supply chain needs to be held to the standards set out in this Bill, so that the provider is able to offer the security standards that we need, regardless of the number of suppliers that they have available.

It is important to reassure hon. Members that Ofcom will have the ability to collect information relating to the diversity of suppliers’ networks under section 135 of the Communications Act 2003, as we have discussed. I do not think it is necessary to specify the need to collect information relating to diversification, as that is just one set of information that Ofcom may collect; it is just as important as several others in monitoring and reporting the security and resilience of networks. It is also important to clarify that, although greater diversity is critical in ensuring that we reduce our national dependence on a small number of suppliers, it is part of a broader approach to building security and resilience across the global supply chain that sits outside the Bill, important though it is. Diversification is an issue broader than the make-up of supply chains for UK providers alone, as the hon. Lady knows.

--- Later in debate ---
Chi Onwurah Portrait Chi Onwurah
- Hansard - - - Excerpts

On a point of order, Mr McCabe. I put on the record my gratitude, and that of my right hon. Friend the Member for North Durham and my hon. Friend the Member for City of Chester, to you and your colleague, Mr Hollobone, for the way in which you have expertly chaired proceedings in the Committee. I also sincerely thank all House staff who have supported our work here, including those representing Hansard, and particularly the Clerks, who have been absolutely invaluable in setting out our desires to improve the Bill in clear and orderly amendments and new clauses.

I also thank all members of the Committee from both sides of the House. This detailed, technical Bill is critical for our national security, coming at a time of national crisis, when we are braving—all of us: staff and Members—a pandemic in order to be here. We have had an orderly and constructive debate.

Matt Warman Portrait Matt Warman
- Hansard - -

Further to that point of order, Mr McCabe. What fun we have had! It is a pleasure to come to this point in the Bill’s passage. I echo the hon. Lady’s thanks to the House staff and to yourself, Mr McCabe, and Mr Hollobone. I also reiterate her point that this is a crucial Bill—one that I am glad enjoys cross-party support. I look forward to debating its further stages in the House.

Bill, as amended, to be reported.

Telecommunications (Security) Bill

Matt Warman Excerpts
Nigel Evans Portrait Mr Deputy Speaker (Mr Nigel Evans)
- Hansard - - - Excerpts

Before I call the Minister, may I say that I am anticipating three Divisions, on new clauses 1, 2 and 3? If there is to be an additional vote, I would like to be informed so that I can call it, but I understand that there are going to be only three Divisions.

Matt Warman Portrait The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport (Matt Warman)
- View Speech - Hansard - -

I thank all those Members who have contributed to the debate today. It is an important debate because digital connectivity is an integral part of all our lives. For countless people across the country, having fast and reliable broadband and a good mobile connection is vital to our way of life, but for us to truly reap the benefits of the gigabit-capable broadband and 5G, we need to have confidence that they are secure and that means securing the networks on which they are built, the supply chains on which they depend, and the equipment and services that support them. The Bill demonstrates clearly the Government’s commitment to ensuring the security and resilience of our telecoms networks.

Let me turn to the new clauses and amendments. I shall start by addressing new clause 1. As the UK’s communications regulator, Ofcom already plays an important role in ensuring the ongoing security and resilience of our networks by enforcing the current security duties under the Communications Act. This Bill will build on that experience, giving Ofcom new responsibilities and a range of new powers. What the new clause would do is require it to publish an additional statement as part of its annual report. Happily, I can reassure hon. Members that the Bill already has various reporting mechanisms included within it. Under the new and snappily named section 105Z, Ofcom will need to regularly report to the Secretary of State. Subsection (4)(a) makes it clear that that report must include information on the providers’ compliance with the duties imposed on them by the Bill.

Ofcom will also need to report on telecoms security in its annual infrastructure report, and clause 11 specifies that this should include information on the extent to which providers are complying with their security duties under new sections 105A to 105D. The Secretary of State will also need to regularly report to Parliament on the effectiveness and impact of the new telecoms security framework.

On the final point in the new clause of the hon. Member for Newcastle upon Tyne Central (Chi Onwurah) about publishing information on emerging and future security risks, that is not of itself necessarily the most productive way of handling security risks, but the principle that she is trying to get to is very much part of what the Government are seeking to do and, of course, it would be part of what we intend to make sure that we talk about as much as we can within the bounds of national security.

I turn specifically to budget and resources. The hon. Member has set out her concerns about Ofcom’s access to resources and capabilities. It is an issue that my right hon. Friend the Member for South Holland and The Deepings (Sir John Hayes) also touched on. I can tell the House today that Ofcom’s security budget for this financial year has been increased by £4.6 million on top of its current security budget. This funding will allow Ofcom to more than double its headcount of people working on telecoms security, ensuring that it has the necessary capability and capacity to deliver its new responsibilities under the Bill. The hon. Member for Newcastle upon Tyne Central is aware that I have written to the Intelligence and Security Committee about that security resourcing. It was at a level that I cannot go into on the Floor of this House, but I hope that provides the kind of reassurance that she seeks.

Specifically on the future risks that I alluded to a moment ago, we have ensured that the Bill is looking to the future. For example, clause 12(3)(b) amends Ofcom’s information-gathering powers under section 135 of the Communications Act to ensure that it can request information from providers concerning future developments in their networks that could have an impact on security and, when reporting on security, Ofcom must include any information that assists the Secretary of State in the formulation of security policy, allowing him or her to make an informed decision about what should be published as well in due course.

New clause 2 has been the subject of the majority of this debate, and rightly so. One of the phrases used about the ISC was that it adds value; this Government do not dispute for a second that it adds huge value, and I welcome the tone with which the Chairman of the ISC, my right hon. Friend the Member for New Forest East (Dr Lewis), has approached this. I appeared before the ISC with some trepidation, as is probably appropriate for all Government Ministers, but it was a hugely productive part of this process and something that I am more than happy to do again. I do not think that my right hon. Friend necessarily thinks that piecemeal changes to the ISC’s role are the way to pursue what he seeks, but the annual report that he has mentioned will certainly be looked at closely by the Government.

Julian Lewis Portrait Dr Julian Lewis
- Hansard - - - Excerpts

I am very happy to agree with what the Minister has just said. It would not be necessary to keep trying to put these provisions on the face of each individual Bill every time a new unit is set up in a different Department, or a new duty laid on a different Department, if it could be agreed with the Government that the memorandum of understanding would be adjusted as it is meant to be adjusted when these changes occur. However, sadly, no Front Bencher has yet been able to give us an assurance that that is going to happen, and I know that the Minister will not be able to do so, either.

Matt Warman Portrait Matt Warman
- View Speech - Hansard - -

As I say, I am sure that my right hon. Friend will make that point in the annual report, and the Government will look closely at it. However, Members can take some comfort from the fact that much of the advice in relation to the more sensitive technical and national security matters within the scope of this Bill will be provided by the National Cyber Security Centre, and its activities already fall within the scope of the ISC, as my right hon. Friend knows. However, I welcome his approach to this, and I hope that his mechanism, rather than that of new clause 2, will be the one he will support today.

I turn to the last of the new clauses tabled by Opposition Members. New clause 3 aims to include the diversification strategy in the scope of the Bill. Diversification is crucial to the future of our UK networks, which is why the Government set out their plans to diversify those networks in the 5G diversification strategy in November 2020. That strategy includes steps to invest in research and development, to remove technical and commercial barriers to entry for new suppliers, and to increase our influence in standard- setting bodies—all issues that my right hon. Friend the Member for South Holland and The Deepings and others on the ISC are keenly aware of the importance of.

We are pursuing a huge range of different mechanisms to enable diversification, because the Government are fully committed to ensuring that their strategy comes to fruition. However, the diversification strategy moves the whole market forward by broadening the supplier base in many ways that are beyond the security measures that are the purview of this Bill, including increased innovation and competition and the overall growth of the telecoms supply mechanisms.

To give the House an idea of some of the non-legislative measures that we are already pursuing, they include the investment in R&D development facilities such as the National Telecoms Lab and the SONIC—SmartRAN Open Network Interoperability Centre—lab that is jointly at work with Ofcom. We are also working to remove barriers to entry for vendors such as by co-ordinating the sunsetting of legacy network technologies, working internationally to co-ordinate diversification objectives, and exploring the use of commercial incentives to address the cost of incorporating new suppliers into a network.

Jim Shannon Portrait Jim Shannon
- Hansard - - - Excerpts

I asked a question to do with the Northern Ireland Assembly and how cyber-security in Northern Ireland will be protected. Can we have an assurance on the Floor of the House today and through Hansard that that will happen?

Matt Warman Portrait Matt Warman
- Hansard - -

I will come on to the devolved aspects in amendment 1 in a moment, but it is of course vital that we continue the collaborative relationship with the Northern Ireland Executive and with the Welsh and the Scottish Governments as well.

The Bill places security requirements on individual operators. They are hugely important, but they are not diversification requirements on the Government’s national scale. Defining diversification in legislation would be limiting in a hugely rapidly evolving market. I know that the hon. Member for Newcastle upon Tyne Central understands the need for agility, and putting what she proposes into legislation would run counter to that ambition.

On the devolved Administrations, amendment 1 would require the Secretary of State to consult Ministers from the devolved Governments when reviewing the impact and effectiveness of clauses 1 to 13. As the hon. Member for Aberdeen South (Stephen Flynn) noted, telecoms is a reserved matter under each of the devolution settlements. I say that, however, in the full knowledge that a constructive and close working relationship with each of the devolved Governments is hugely important, be it in Project Gigabit, in the shared rural network, or indeed in matters such as this. I look forward to that collaboration continuing; it will drive forward our connectivity.

I turn briefly to the amendments that were not selected. My right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith) has spoken passionately about these matters, both privately and publicly. I do not want to go into a huge amount of detail on amendments that were not selected, but I simply say that the actions the Government are taking in the Bill speak powerfully for themselves.

On the specific matter of issuing designation notices to vendors headquartered in other countries, it is important to consider not just whether the kinds of laws that my right hon. Friend mentions exist, but how the Government in question intend to use them. A friendly democracy may, as indeed many do, have laws that would enable it to yield information and data from companies headquartered within their territory. The conduct of such a Government, and our relationship with them, may reassure us that they would not use those powers to do harm to the UK, but there are other cases where Governments that have these laws have acted contrary to the national interest of the UK in the past. As we set out in the illustrative notice for Huawei, there is a law in China that enables the Chinese Government to collect information from companies headquartered within its territory. As the Foreign Secretary has stated, we know that the Chinese state has in the past used its power to undertake malicious cyber-activity. The designation notice that I mentioned demonstrates how the Government could take those sorts of laws into account when exercising the powers that are already in the Bill.

I thank my hon. Friend the Member for Wealden (Ms Ghani) for her work on the NATO Science and Technology Organisation. We very much welcome her preliminary draft report. I would like to express the Government’s commitment to deepening our co-operation with partner nations such as Japan and the Republic of Korea.

I thank all hon. Members on the Government Benches, and indeed on the Opposition Benches, for their constructive engagement throughout this debate. This is an important Bill that enjoys strong cross-party support, in the main. The sooner we can pass it, the sooner we can set about the crucial work of ensuring that our public telecoms networks are secure and resilient. I commend the Bill to the House.

--- Later in debate ---
Matt Warman Portrait Matt Warman
- Hansard - -

I beg to move, That the Bill be now read the Third time.

I thank right hon. and hon. Members for their contributions today, and I also thank the excellent team of Clerks of the House, those at the Department for Digital, Culture, Media and Sport, and all those involved in the preparation of the Bill. In particular, I thank those who work at our agencies to support so much of what goes into our national security: they are the best among us, and all of us in the House are grateful for their service.

The first priority of this Government is to keep people safe and this Bill is just one step in achieving that objective. It is a precise and technical Bill but an important one none the less. While we might have disagreed on some of the details, it is encouraging that there is such broad consensus across this place and I hope that that spirit of co-operation continues when the other place considers the Bill.

The Bill will ensure the security and resilience of the UK’s telecoms networks for years to come. Bringing it into force on Royal Assent cannot come soon enough. It will create one of the toughest regimes for telecoms security in the world. It will protect our networks and shield our critical national infrastructure both now and in the future, as technologies grow and evolve. With this Bill, we are delivering on our commitments in the 2019 telecoms supply chain review, which were informed by the advice from the world-leading NCSC and GCHQ. Today, we have taken an important step towards putting those commitments on a statutory footing and taking action to protect and secure our important networks.

I hope that, in my response to the amendments and new clauses, I provided reassurance on the role of Ofcom, the importance of diversification and the other matters raised. I welcome the constructive challenge of Members on those points, and I hope I have reassured them that we are pushing in the same direction. I thank all Members for their contributions. I commend the Bill to the House and look forward to it passing through the other place.

Telecommunications (Security) Bill

Matt Warman Excerpts
Iain Duncan Smith Portrait Sir Iain Duncan Smith (Chingford and Woodford Green) (Con)
- Hansard - - - Excerpts

I will be brief, as much has been said already. However, I want to say a bit to my hon. Friend the Minister about Lords amendment 4. I also, by the way, want to recognise my hon. Friend the Member for Boston and Skegness (Matt Warman), who is no longer a Minister but who was in charge of much of the Bill’s passage. I thought that he did an excellent job. It is a very good Bill which is long overdue, and there is much to praise in it.

I think that Lords amendments 4 and 5 are worthy of a little more assessment. Lords amendment 4 does have merits, because it recognises that there is a real problem about diversification. The point that I was trying to make to the hon. Member for Newcastle upon Tyne Central (Chi Onwurah) earlier was not an argument against any kind of strategic review or industrial policies; it was the argument that if a nation is in a sense rogue, in terms of its ability to stay within the market, and subsidises companies deliberately for strategic effect, that is why the number of companies will fall from 15 to three in the free world, which is what happened in this case. I think the amendment is about the need to recognise the fact that diversification, if not pursued deliberately, will lead us into the hands of a country like China, which then forces us eventually to have only one vendor on price, because that country has subsidised it.

As for Lords amendment 5, I heard the argument of my right hon. Friend the Member for New Forest East (Dr Lewis), the Chairman of the Intelligence and Security Committee, but I would not regard this as “gilding the lily”. I do not much like lilies and I think they could do with a bit of gilding, but I think that this is more a case of locked doors, and if the amendment is about putting an extra door into the security panoply, I think it is important. I will be brief, but last year, along with many others, I had very strong arguments with the Government about Huawei, and we were disregarded, disregarded, disregarded. The Government even led out all the great security experts who told them that they could control everything, saying, “Don’t worry, we can manage the risk”—until it finally became apparent to them that they could not. We faced that at the time. Other Five Eyes members had already said that this was not on, but we seemed to disregard their views. So I simply say that this is not about gilding the lily; it is about reminding the Government that they must abide by these provisions.

I should also make the point that there are many other companies to which we should be giving real consideration right now, and which are being looked at and banned by the Five Eyes—such as Hikvision and ByteDance—and I urge the Government to think again about those as well.

Matt Warman Portrait Matt Warman (Boston and Skegness) (Con)
- Hansard - -

I want to thank the various Members who have paid tribute to my small role in this Bill. I say simply to the right hon. Member for North Durham (Mr Jones) that I regard all reshuffles as an upgrade, so I welcome the Minister to her place. I mean that sincerely. I would also like to pay tribute to the officials—some of whom are in the Box today—who do not get enough credit for getting the Bill to the place that it is in. Ultimately, this is the Bill that will remove Huawei from our 5G network, and that is something that we should all welcome. It addresses a number of the issues that I raised and discussed robustly, as my right hon. Friend the Member for Chingford and Woodford Green (Sir Iain Duncan Smith) said, during the process of getting the Bill to this point.