Telecommunications (Security) Bill (Sixth sitting) Debate
Full Debate: Read Full DebateMatt Warman
Main Page: Matt Warman (Conservative - Boston and Skegness)Department Debates - View all Matt Warman's debates with the Department for Digital, Culture, Media & Sport
(3 years, 10 months ago)
Public Bill CommitteesMy hon. Friend makes the point precisely: the way in which telecoms have developed in this country has been piecemeal, only developing now into the four main operators. I hope we will try to get others into the market.
We are to blame for that, as consumers, because we have demanded ever lower prices for our mobile services. Does that suggest that the operators have taken shortcuts? No, I am not suggesting that, but consumer preferences have driven down price, and therefore the costs of what those operators provide in delivering the services that we all take for granted. Let us be honest: the Chinese saw the opening door for Huawei—that is why they bought into and flooded the market, putting Government loans behind it. Can we blame the operators for saying, “Well, actually, this is a good deal—we can get good deals”? But they cannot.
I am interested to know from the Minister how, looking forward, we are going to do that. I accept that something will be done under the regulations that the Government will put out, but how will we look backwards as well? As my hon. Friend the Member for Newcastle upon Tyne Central said, there is a lot of legacy equipment there, and it is important for Ofcom to have a clear understanding of what is in the networks.
It is a pleasure to serve under your chairmanship, Mr McCabe.
We are redefining UK telecoms security, but I worry that we are also redefining the aspiration of the hon. Member for Newcastle upon Tyne Central to crack on, so I will try to be brief. The good news that I can deliver, briefly, is how the aspirations of both the hon. Lady and the right hon. Member for North Durham are met in the legislation, and how we envisage those aspirations’ being implemented.As the Committee is aware, the Government have published an early draft of the security regulations. Certain draft requirements are relevant to the aims that we have talked about today. If hon. Members look at regulation 3(3)(a), with which they will be familiar if they are insomniacs, they will see a duty for network providers
“to identify, record and reduce the risks of security compromises to which the entire network and each particular function… of the network may be exposed”.
That is already there and key to the issues that hon. Members have been talking about.
I had looked at those requirements. I appreciate that they are drafts, but they talk about identifying issues. They do not say “audit”.
I think this would be impossible to identify without carrying out some kind of audit. There is a danger of a semantic argument, but I understand the point the hon. Lady is making. We want people to be in the position to make the kind of identifications that we are requiring. I do not see how they could do that without the records to which she refers, in terms of both the existing kit and future kit that they might put into their network.
This is an important point. The criticism that I will articulate later is that too much of the Bill is based on an assumption that the players in the sector will automatically do the right thing. For example, there is an assumption of a dialogue between Ofcom and the major players. Will the Minister think about whether he is satisfied that an assumption goes far enough in something as important as this?
The regulation that I cited is an example of the Government not relying on assumptions. It is an example of us publishing, in advance, exactly the sort of material that demonstrates that this is not assumptions, and that it is there in black and white. That is an important distinction and it demonstrates the cross-party consensus that we have had thus far. We continue to be on the same page in terms of the level of detail required.
The evidence sessions with industry demonstrated that national providers already maintain some asset registers. Witnesses were clear that those registers are maintained and updated as technologies are updated. That is an important part of the existing landscape, but our regulations will ensure this kind of best practice is extended across public telecoms providers.
In addition, the Bill contains measures with regard to the use of particular vendors’ equipment. Inspection notices under clause 19 enable Ofcom to carry out surveys of a specific network or service where Ofcom receives a monitoring direction from the Secretary of State to gather information on a provider’s compliance with a designated vendor direction. Alongside that, clause 23 enables the Secretary of State to require the provision of information about the use of goods, services or facilities supplied, provided or made available by a particular person. That could be used to require information about a provider’s use of a particular vendor’s equipment.
Taken together, the issues that have been raised are not only entirely legitimate, in the view of the Government, but are addressed in black and white already, both in the Bill itself and in the drafts that we have published. We are ensuring that “hardware of interest,” whatever that might be, is subject to proper oversight and monitoring. That objective does not need the approach that might come as a consequence of this amendment, because it is already there. For that reason, I welcome the probing nature of the amendment. I hope that my answer has satisfied some of the concerns, and I look forward to doing so further in future answers.
It is a pleasure to serve under your chairmanship, Mr McCabe, and I thank the Minister for his comments. I also thank my right hon. Friend the Member for North Durham and my hon. Friend the Member for City of Chester for their comments. This amendment is probing, so we will not push it to a Division. I would like to say two things to the Minister. Although it is true that the providers were confident that they had an asset anywhere their equipment was, other experts who gave testimony in the evidence sessions were not. My experience of networks is that there are multiple systems and this information is not easily accessible or searchable.
I am reassured by the Minister saying that his view is that these requirements could not be met without there having been some kind of audit, to have that information ready. I ask him to write to me, if possible, stating which provisions in the requirements set that out. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
It is good to reach this landmark point. I do not propose to go over all the ground we have covered, because we have already covered a large chunk of this in discussing the amendments.
As I mentioned, proposed new section 105A means that telecoms providers will need to take appropriate action to ensure adequate security standards and limit the damage caused by any breaches. To support that duty, the proposed new section will create a new definition of “security compromise”. The definition is purposely broad. It includes anything that compromises the availability, performance or functionality of a network or service, or that compromises the confidentiality of the signals conveyed by it. That addresses some of the points made by the right hon. Member for North Durham a moment ago. This is a comprehensive approach that will help to ensure providers protect their networks and services properly in the future.
Earlier, I mentioned law enforcement and national security. This part of the Bill excludes certain conduct that is required or authorised under national security legislation or for law enforcement from the definition of “security compromise” in subsections (3) and (4). Those subsections also clarify the fact that, for example, disruption of the use of unauthorised mobile phones in prisons would not be a security compromise.
Proposed new section 105B will give powers to the Secretary of State to make regulations imposing duties to take specific security measures. The power will enable more detailed requirements to be imposed on providers, further to the overarching duty set out in proposed new section 105A(1). This will give greater clarity to providers about the measures that they must take. It will also allow the legal framework to be adapted as new threats arise and technology changes.
These security requirements deliver on our commitment in the telecoms supply chain review to place targeted, actionable and proportionate requirements on a statutory footing. Taken together, the new overarching security duty and requirements will, in secondary legislation, make clear what the Government expect of public telecoms providers. The provisions in the clause are crucial for improving the security of our telecoms infrastructure.
As the Minister says, reaching the end of consideration of clause 1 is a landmark. We are cracking on at a slower pace than anticipated, but it is important that we have rehearsed a number of the arguments that you will hear, Mr McCabe, throughout our detailed scrutiny of the Bill.
Those arguments relate to our concerns with regard to national security, which Labour prioritises, yet we do not see that priority recognised consistently in the Bill; the effective plan to diversify supply chains on which it depends, but which it does not mention; and the scrutiny of the sweeping powers that the Bill will give to the Secretary of State and Ofcom. Those issues all arise in the clause, although we welcome the Bill and the increased duties. Will the Minister clarify the relationship between proposed new section 105A and proposed new section 105B? If he cannot do so now, perhaps he will write to me.
I am happy to write to the hon. Lady on the matter she has discussed. We anticipate draft directions in due course that will be network specific, because each network is different, but the overall tenor will be in the same direction. This is probably a matter that we can talk about outside the Committee in a bit more detail to make sure she gets the answers she wants.
Question put and agreed to.
Clause 1 accordingly ordered to stand part of the Bill.
Clause 2
Duty to take measures in response to security compromises
Question proposed, That the clause stand part of the Bill.
We are one thirtieth of the way there. The clause will place a duty on providers to take measures in response to security compromises through proposed new section 105C. When managing security, providers should seek to reduce the risk of security compromises occurring under their duty in proposed new section 105A. As security threats and attacks evolve, it will never be possible for providers to reduce that risk to zero. Therefore, should a security compromise occur, it is crucial that providers take swift and effective action to mitigate its effects. Taking action quickly will also help to mitigate the risk of any further incidents.
Mirroring the approach taken in clause 1, the new duty in proposed new section 105C is overarching and sets out a general duty on providers. It is supported by proposed new section 105D, which will provide the Secretary of State with powers to make regulations requiring providers to take specific measures in response to security compromises of a description specified in regulations. Although it will clearly not be possible to anticipate every security compromise that might occur and to set out how providers should respond, this will enable more detailed provision to be made in appropriate cases. Measures can be specified in the regulations only where the Secretary of State considers those measures appropriate and proportionate.
In practice, the first set of requirements will be contained in a single set of regulations made under the powers of proposed new sections 105B and 105D. A draft of the regulations has already been made available to members of the Committee, and published on gov.uk. Regulations made using this power will give providers clarity about the measures that they need to take, and having those measures set out in secondary legislation has the benefit of allowing the regulations to be reviewed as technology and security threats change over time.
In summary, this duty on providers is an integral part of the new framework, which will ensure providers take control of the security of their networks and services at a time when the UK stands on the cusp of a 5G and full fibre revolution. We must keep those technologies secure to enjoy their full benefit, and the clause is essential to doing that.
We are cracking on: clause 2 is taking but a few minutes. The Opposition recognise the critical importance of our network providers taking responsibility for the security of their networks, and that there can never be a zero-risk network. Given that network communications are ever present in almost every aspect of our life and of our nation’s economy and security, it is right and appropriate that the Bill should put requirements in place, both on the operators and in response to specific security compromises.
I should like to have better understood how we would expect network operators to respond to a compromise such as the SolarWinds one, for example, but I expect that the clause will at least place the right duties on network operators, and I am content that it should stand part of the Bill.
Question put and agreed to.
Clause 2 accordingly ordered to stand part of the Bill.
I rise to support my right hon. Friend’s excellent comments and to add a couple of points on amendment 10, which would require the Secretary of State to consult the National Cyber Security Centre before issuing a code of practice about security matters. My right hon. Friend spoke ably about the amendment’s intent to ensure security input on national security measures. That sounds basic, so I hope the Minister will explain why he feels it is unnecessary to make that explicit in the Bill. My right hon. Friend suggested that perhaps it should go without saying, but as we heard in the evidence sessions and have already discussed, the evolving security landscape and the change that the Bill represents, through the new powers for the Secretary of State and Ofcom, make it particularly important to set that out expressly.
The Bill looks at many issues to ensure the security of our networks from supply chains to requirements on network providers as well as raising technical issues, and Ofcom will need to do a lot specifically, so it is important to have a specific reference to the security function of the National Cyber Security Centre.
It came across clearly in the evidence sessions that Ofcom will not be making national security judgments. Lindsey Fussell said:
“It is important to say that, across the scope of the whole Bill, it is not Ofcom’s role to make national security judgments. That is really important. Clearly, that is the Government’s and the Secretary of State’s role, taking advice from the NCSC and the intelligence agencies.”—[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 89, Q113.]
In introducing the code of practice, it is essential to ensure that security input and expertise. I do not see why the Minister would object to including such a requirement in the Bill. Unfortunately, we are not always as joined up as we would like to be. There are numerous examples of issues that could have been prevented, had agencies of Government done what might have been expected of them and talked to teach other. As the Bill involves network operations and deep technical and security issues, a requirement to consult the NCSC is particularly important, and that is what the amendment would achieve.
I apologise in advance, having said that we should crack on, for detaining the Committee for a few minutes on this group of amendments. They relate to clauses 3 and 4, which deal with the codes of practice for security measures and informing others of security compromises. Ultimately, the new telecoms framework comprises three layers. There are strengthened overarching security duties set out in the Bill, there are specific security requirements in secondary legislation, and there are detailed technical security measures in codes of practice. Clause 3 deals with the final layer of the new security framework. Specifically, it provides the Secretary of State with the power to issue and revise the codes of practice and sets out the legal effects of any published codes of practice.
Clause 4 addresses what would happen should there be a security compromise. It puts in place a process for users to be informed of significant risks of a security compromise. The clause also places a duty on public telecoms providers to inform Ofcom of any security compromises with significant impacts, and it creates the power for Ofcom to inform other persons in turn, including users.
I turn now to amendment 5, which seeks to ensure that the NCSC is also informed of security compromises. From a drafting point of view, the NCSC is part of GCHQ, and I take the amendment to refer to GCHQ in that sense. Within the new telecoms framework, the Department for Digital, Culture, Media, and Sport will set the policy direction, Ofcom will regulate and the NCSC will provide technical and security advice. As the UK is an world-leading national authority on cyber-security, we expect the NSCS to share its expertise with Ofcom in order to support the implementation of a new telecoms security framework.
For that reason, the Government absolutely agree that it is crucial that the NCSC receives information about telecoms providers’ security. That is why such information-sharing provisions already exist. Under section 19 of the Counter-Terrorism Act 2008, Ofcom or the Secretary of State is able to share with the NCSC any information that would support the NCSC in carrying out its functions. That would of course include the passing on of details of security incidents. Under new section 105L of the Communications Act 2003, which this Bill inserts, Ofcom must report all serious security incidents to the Secretary and State and can pass on information about less serious incidents as well. On receiving such information, the Secretary of State can then share the information with the NCSC, as I have set out. Although these probing amendments are well-intentioned, it is obvious that the provisions are already there.
I thank the Minister for his response to the amendments. He is focusing on the fact that it is possible for information to be shared, but it is not required. I understand that the Bill as drafted, and preceding best practice, means that it is possible for information to be shared. My concern is that it is not required.
I understand the hon. Lady’s point, and I will come to something that I think will address it in a moment. Before I do, I will speak to amendments 6 and 10, as they would be functionally identical amendments to new section 105F in clause 3.
New section 105F sets out the process for issuing a code of practice. It requires a statutory consultation on a draft code of practice with the providers to whom the code would apply, Ofcom and other persons such as the Secretary of State considers appropriate. The amendments would apply an additional requirement to formally consult the NCSC when publishing a draft code of practice. I can reassure the Committee that we will continue to work closely with technical experts at the NCSC, as we have done over a number of years.
The telecoms supply chain review demonstrated the Department’s capability to work with our intelligence and security experts to produce sound recommendations, backed by the extensive and detailed security analysis that I know Members of all parties would like to see. That initiated the next phase of the collaborative work that culminated in the introduction of the Bill, and the codes of practice continue that theme. The purpose of such codes is to provide technical security guidance on the detailed measures that certain public telecoms providers should take to meet their legal obligations.
We have already been clear that NCSC guidance will form the basis of an initial DCMS-issued code of practice. The NCSC has already developed a set of technical measures that is in the process of being tested with the industry, and those technical measures have been refined and improved over the last two years. The NCSC will continue to update the measures to reflect any changes in the landscape of threats, as the right hon. Member for North Durham described, and the relationship between the work of the DCMS and that of the NCSC means that such changes would be reflected in the code of practice. Alongside the DCMS and Ofcom, the NCSC will play a key role in advising public telecoms providers on how to implement detailed codes of practice.
I agree with the Minister, in the sense that I think he and the Secretary of State at the DCMS are committed to there being very close working, but as I said, he ain’t gonna last forever. An issue will come up —in fact, it came up last night on the National Security and Investment Bill—when operators and others say, “Actually, from a commercial point of view, this is more paramount,” or, “This is what we should be doing.” The Secretary of State will come under a lot of pressure to perhaps look at prosperity issues rather than security issues. I just wonder whether, without the relevant provision in this Bill, a future Secretary of State could say, “Well, I’m going to ignore that issue, because I want to pander to”—well, not pander to—“accept the commercial and prosperity arguments.”
The right hon. Gentleman keeps going on about ministerial impermanence, but I will not take it personally.
Too kind! The key part to this is that, obviously, Ofcom remains an independent regulator and will be working closely with others. The right hon. Gentleman makes a fair point about the inevitable balance between national security and a whole host of other issues, but ultimately that independence is absolutely essential. In the light of our long-standing and established working relationships across the DCMS, NCSC and Ofcom, it seems reasonable to say that there is a track record demonstrating what he has asked for. But given the Committee’s interest in the role of the NCSC in this regime, I will just make one last point. Its role is not explicitly described in the Bill, as the NCSC already has a statutory remit, as part of GCHQ, to provide technical security advice and to receive information on telecoms security for the purpose of exercising that function.
The NCSC and Ofcom will very soon publish a statement setting out how they will work together. I think that addresses some of what the hon. Member for Newcastle upon Tyne Central mentioned; I believe she has some familiarity with Ofcom. I think it is right, because they are independent, that that statement comes from them, as well as the Government expressing a view on this. The statement will include information on their respective roles and their approach to sharing information on telecoms security, and it should provide greater clarity, which hon. Members are entirely legitimately asking for, about the NCSC’s role, including how it will support Ofcom’s monitoring, assessment and enforcement of the new security framework.
I hope that the sorts of matters that I have talked about provide the kind of reassurance that Members have asked for.
A statement is a welcome step forward, but—the Minister can write to me on this; he need not respond to me today—what is its legal weight? Again, I am not wanting to consider the Minister’s demise, but I would like to know that future Secretaries of State and Ministers will use it as the template and will not be able to say, “Well, we are going to ignore that statement.” That would be very welcome, because it would bind the two organisations together, which is important, and ensure that the security aspects were taken into consideration, but will the Minister just write to me, saying what weight the statement would have? I have to say that I sympathise; I do not like Christmas tree Bills that start having things added on. If it could be done in a complete way, I would be quite happy with that. The only thing that I want to know is, basically, what its status will be in future. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Question proposed, That the clause stand part of the Bill.
The Committee has already heard me talk about some of this, but I think it important to provide a little more detail. The code of practice, which we have discussed, is a fundamental building block of the regime and will contain more specific information on how telecoms providers can meet their legal duties. It will provide guidance on how, and to what timescale, certain public telecoms providers should comply with their legal obligations, and will be based on technical analysis by the NCSC. Individual measures will therefore reflect the best protections against the most pressing threats to network security. The code will, for example, set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers’ data.
We recognise of course that different companies have different ways of setting up and running their networks, and because our telecoms market is dynamic and competitive, providers range in scale from multinational giants such as Vodafone down to innovative local start-ups. We want therefore to ensure that the code of practice is proportionate, and that public telecoms providers take appropriate security measures.
I will touch as briefly as I can on how we intend to achieve that proportionality through a tiered system. Tier 1 will contain the largest national-scale public telecoms providers. Should any of those providers have a significant security incident, it could bring down services to people and business across the UK. Those operators will have the greatest level of oversight and monitoring from Ofcom. Tier 2 will contain medium-sized public telecoms providers. Those providers may not be as large, but in many cases they are critical to regions and to business connectivity. They are expected to have more time to implement the security measures set out in the code of practice.
Tier 3 will contain the smallest public telecoms providers, including small businesses and micro-enterprises, which, of course, must also comply with the law. They are not anticipated to be subject to the measures in the code of practice, but will need to comply with their legal duties as set out in new sections 105A and 105C, and in any regulations. Our expectation is that Ofcom would regulate those providers more reactively.
New section 105F describes the process for issuing a code of practice. When the Government publish a draft code of practice, we will consult with industry, Ofcom and any other appropriate persons. Specifically, publishing the first code of practice will include consulting on the thresholds of each of the tiers that I have described and on the timings for their implementation. Following the consultation period, and once the code is finalised, it will be published and a copy will be laid before Parliament.
New section 105G gives the Secretary of State the power to withdraw a code of practice. Again, that will follow consultation with industry and Ofcom. A notice of withdrawal will be laid before Parliament. The legal effects of the code of practice are described in new section 105H. To be clear, the code of practice is guidance only; it is an important tool that operators should use to comply with their legal duties.
The legislation places a duty on providers. Meeting the strictures of the code of practice would be the way of demonstrating that they were meeting that duty as an initial step, but of course, we see individual companies making decisions, for a host of reasons, to exceed codes of practice in every area of regulated life,
and I would expect that to continue in the area in question as well.
Where relevant, provisions in a code could be taken into account in legal proceedings before courts or tribunals, which I think gives some sense of their status. That would include any appeals against Ofcom’s regulatory decisions heard by the Competition Appeal Tribunal. Ofcom will take account of the code of practice when carrying out its functions as required in new section 105H(3) in relation to telecoms security, as I have just described.
Under new section 105I, if Ofcom has reasonable grounds for suspecting that a telecoms provider is failing, or has failed, to act in accordance with a code, it can ask public telecoms providers to explain either how they meet the code of practice or, if they do not meet it, why. For example, if the network set-up of a particular telecoms provider meant that it could achieve a level of security equivalent to that in the code by other means, it could explain that in its statement responding to Ofcom. In such a case Ofcom might be satisfied that the provider was complying with its security details, but hon. Members will see that we are again trying to ensure a proportionate approach to the relevant part of the framework.
We believe that the code of practice will provide an appropriately flexible framework, which will be able to change as new security threats evolve, providing clarity for telecoms operators on what is required of them by this new telecoms security framework.
I will not detain the Committee very long either, as we agree about the importance of codes of practice. I will not say that I am entirely reassured to hear of the statement being issued by Ofcom and the NCSC on how they will work together, but I certainly think that it is a positive development, and I hope we will be able to see it before the Bill progresses to the House.
On the codes of practice, as my right hon. Friend the Member for North Durham set out, it is important that the sector should understand the standard to which it will be held. I have some concerns about the tiering system, because, as was made clear by a number of witnesses during the evidence sittings, all networks are joined up and we are only as secure as the weakest link. At the same time, it is important to have a proportional burden on new entrants as we indeed hope to diversify the supply chain.
I understand, although perhaps the Minister can clarify the point, that the codes of practice will not refer to the diversification of the supply chain, despite the fact that having a secure network—we shall debate this in more detail—is dependent on having a diverse supply chain. I have made the point a number of times, and will make it repeatedly, that the lack of linkage between the diversification strategy, implementation and the security of our networks is an ongoing cause for concern. However, having made those comments, I do not object to the clause.
Question put and agreed to.
Clause 3 accordingly ordered to stand part of the Bill.
Clause 4
Informing others of security compromises
Question proposed, That the clause stand part of the Bill.
As with clause 3, I have already spoken to clause 4, addressing an amendment on this issue. It will be crucial that we ensure that the Government, Ofcom, public telecoms providers and their customers have the information that they need to understand when security compromises have occurred, and then use the knowledge to prevent compromises in the future. New section 105J requires that providers inform their users of significant risks of security compromises and actions that they can take to avoid or mitigate any adverse consequences.
We want to ensure that this is done in a transparent and open way, so the clause specifies that telecoms users should be notified in clear and plain language, and given a named contact they can get in touch with if they have any further questions. Giving users that information will help to ensure that, where possible, they can take swift action to protect themselves and raise broader awareness.
New section 105K requires security compromises to be reported to Ofcom. That information will provide Ofcom with insight into the security of individual telecoms providers and security risks across the landscape, enabling us to target its regulatory action more effectively. The Bill also requires that providers report pre-positioning attacks on the network. These are attacks that do not affect the network or service at the time but allow access that could result in further security compromises. These attacks pose real risks but too often remain invisible to a regulator.
Finally, under new section 105L, Ofcom is required to share information about serious security compromises with the Government. It may also share information on less serious compromises if, for example, it would help the Government with developing telecoms policy and future regulation.
The clause explains how Ofcom can share information about security compromise with other groups and organisations, and the Bill allows information sharing at Ofcom’s discretion with overseas regulators, other providers, telecoms users and, where appropriate, the wider public. It allows Ofcom to advise network and service users of the measures that they should take to prevent, remedy or mitigate the effects of the security compromises, to direct providers to give such advice themselves.
The clause ensures that the regulator has access to the information that it needs, and will help to ensure that the entire industry is aware of new and evolving risks and can respond accordingly—be that a customer changing their password or an operator tightening its defences against a new attacker.
I thank the Minister, as always, for graciously giving way. I will make this point later, but I want to give the Minister the opportunity to consider how the requirement for Ofcom to notify users might work with the Information Commissioner’s requirement on data controllers to also notify users when there is a data hack.
Obviously, there could be an overlap in those notification requirements, but our expectation would not be that anyone would receive multiple notifications. That is why there is an emphasis on the nature of communications being clear and obvious to laypeople.
Speaking gives me an opportunity to take my face mask off. I will make a few points about clause 4, which is broadly welcome because it clarifies for operators what their responsibilities are, not just from a national security point of view but from a consumer point of view. I think there is an issue, though, which my hon. Friend the Member for Newcastle upon Tyne Central raised.
Again, I do not want the Minister to respond now, but I think the crossover with the Information Commissioner might be one area that we need some clarity on. Is there an example of this? Yes—the TalkTalk case. People might look at this Bill and think national security is about the Russians or the Chinese hacking, but that was a criminal act that led to a lot of people’s data being compromised. From a constituency point of view, as any Member of the House at that time will know, trying to get TalkTalk to do anything about that, in terms of the losses that people incurred, was virtually impossible. That is why these clauses are so important.
We are cracking on at such a pace that I lost my place somewhat. I had forgotten that we are now discussing clause 4. My apologies, Mr McCabe.
My right hon. Friend the Member for North Durham has already addressed some of the points that I wanted to make, but let me say that we welcome the duty being placed on providers to report security incidents. I have long campaigned, in relation to cases such as the TalkTalk incident, to make that duty clearer and more comprehensive regarding the information that needs to be shared with users and those who are affected, and for them to have some kind of right of redress, which is effectively part of the Bill.
I welcome the requirement in clause 4 to inform others of security compromises, but will the Minister provide more clarity? There is some indication of the range of actors that the providers and Ofcom must inform, but I do not feel that there is an understanding of the level of information that will be shared with different actors. For example, if the public are to be informed of a security breach, compared with the requirement from the Information Commissioner’s Office, which, as I said, actually goes far enough, what level of information might be shared with other actors, such as other networks? My right hon. Friend talked about who else might be informed. It is also clear that the sharing of information will probably need to evolve over time, as the nature of compromises and their potential reach changes. I wonder how these requirements might be adapted to reflect that.
I will just say a little about the sharing of information with overseas regulators. If that is clearly set out in the Bill, I am unable to find it. Presumably, such data sharing will still have to conform with the requirements of our data protection legislation. Will it also reflect international data-sharing gateways for criminal prosecution purposes?
Those are just some general comments. We welcome the clause.
I will reply briefly. On the point about compensation, essentially new section 105W of the Communications Act 2003, which is inserted by clause 8, covers the civil liability point, which I think opens the door that the right hon. Member for North Durham seeks to open. Then there are the notifications to industry of what is essentially best practice and recent threats. Of course, as he implied, there is a balance to be struck with the existing work of all those involved, but ultimately it would feed into the codes of practice, so there is both an informal and a formal mechanism, if I can put it like that.
On the hon. Lady’s final point about the international sharing of information, it would depend on the nature of the information, as she implied. Some of it would pertain to national security, and some of it would pertain to the kind of criminality that she has spoken about about, where there are existing provisions as well. In that sense, of course, it is all covered by our own data protection regime, which has the sorts of carve-outs I have just described but operates in that holistic framework.
I raised the point, as did my hon. Friend the Member for Newcastle upon Tyne Central, that we are asking operators to inform individuals about data compromises. That is welcome, but as my hon. Friend said, there might also be a breach of the Information Commissioner’s regulations, and we just wanted to get some idea of how the two would mesh together. I do not expect the Minister to know now, but could he write to us to say how the two would interact?
As I said in response to the hon. Lady, there is obviously a potential overlap. The focus of this Bill is on clarity of communication to the consumer, but I am very happy to write to the right hon. Gentleman or the Committee with further details of that potential overlap.
The Minister is being incredibly generous with his time. To clarify what we are hoping to receive, as he has indicated, we would not want the ICO to be sending out notifications to 2 million people who had been affected by a hack, and Ofcom to be doing that as well. We would expect there to be co-ordination in that regard, and we would just like to see that set out.
I am very happy to do so. I think it is obvious that clarity of communication would be incompatible with duplication.
Question put and agreed to.
Clause 4 accordingly ordered to stand part of the Bill.
Clause 5
General duty of OFCOM to ensure compliance with security duties
I beg to move amendment 11, in clause 5, page 9, line 41, at end insert—
“(2) Providers of public electronic communications networks and public electronic communications services must notify Ofcom of any planned or actual changes to their network or service which might compromise their ability to comply with the duties imposed on them by or under sections 105A to 105D, 105J and 105K.”
This amendment would require providers of public electronic communications networks or services to notify Ofcom of any changes to their network or service which might compromise their ability to comply with their security duties.
It is a great pleasure to serve under your chairmanship, Mr McCabe. Since this is my first substantive contribution to the Committee, I pay tribute to the Front Benchers. It is nice to have a Minister who, I believe, was formerly a tech journalist specialising in telecoms, and who knows the subject well. Of course, the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, was a telecoms engineer and an Ofcom regulator for many years, and I pay tribute to her and her staff. The Committee should know that in addition to running this Bill Committee from the Opposition’s side, she has also been working in the main Chamber this week on the National Security and Infrastructure Bill Committee. Juggling two Bills at once is no mean feat.
I have also greatly enjoyed the interplay between my right hon. Friend the Member for North Durham and the hon. and gallant Member for Bracknell, both of whom have considerable national security experience. I was intrigued by my right hon. Friend’s estimation of the hon. and gallant Gentleman’s intervention as Schrodinger’s intervention—one that managed to be simultaneously right and wrong. He has set a new standard there.
From listening to the debates on previous clauses, it is clear that a common thread passes through the Bill, which we in the Opposition have been hoping to link up. Partly, it is to do with the question we raised earlier about the assumption that everybody understands exactly what the intention in the Bill is, and that everything will be all right in the long term. My right hon. Friend the Member for North Durham has talked about the importance of making things as clear as possible when it comes to responsibilities, because a future Minister might not be as adept in this subject as the hon. Member for Boston and Skegness, who currently occupies that position. In a sense, that is the heart of amendment 11.
I rise simply to support the excellent speech made by my hon. Friend the Member for City of Chester. I thank him for his very kind words. In the amendment, he makes an important contribution in ensuring that Ofcom knows what it needs to know and in putting the onus more firmly on the network providers. I simply ask the Minister to respond to the points that my hon. Friend made in his concluding remarks about being forward-looking.
A challenge for us as a nation in securing our networks during such fast-paced technological change is looking backwards to the problems we have had rather than forwards to the evolving and new threats. During the evidence sessions, we were accused of fetishising 5G as if that was the only security challenge, because of the visible problem with Huawei, and that we were not looking more broadly. I admired Ofcom during my time there because it was set up to be a forward-looking regulator. To achieve that aim, when it comes to the sweeping new requirements around security that are placed on it under the Bill, it needs to be able to see what changes are happening and are likely to influence future evolving threats. To do that effectively, amendment 11 requires the network providers to notify Ofcom of planned or actual changes.
It is worth remembering that—I made this point earlier—if BT had been required to notify Ofcom or another body of changes to its network as Huawei moved to a greater and more dominant position in its network, that might have rung alarm bells more generally. We have also already mentioned the shift that we are seeing on the importance of software and software configuration and services in controlling the network. Requiring providers to notify Ofcom of planned or actual changes to the network would make that evolution more easily visible and therefore provide Ofcom with greater visibility of how all our networks are evolving and what new threats may arise as a consequence.
The amendment would add to the general duty in clause 5 that places on Ofcom the duty to ensure that providers comply with their security duties. The duty as written in the Bill makes clear Ofcom’s increasing role. The duties imposed on public telecoms providers in the Bill are legally binding, so as the Bill is written providers should not be taking decisions that would prevent them from complying with those duties in the future. If they were not to comply, they would be in breach of their legal duties and liable for enforcement action, including the imposition of the significant penalties set out in the Bill.
The underlying purpose of the amendment—that Ofcom should take a proactive role in regulating the regime—is already core to what is in the Bill and the Government absolutely agree with the principle that the hon. Member for City of Chester set out. We need to ensure that Ofcom has the tools to be forward-looking so that, in a world of fast-changing technologies and threats, it can understand where operators are taking their networks and how that will affect their security. That is an absolutely essential part of the Bill.
Does the Minister agree that the Bill in its current form is prescriptive enough already?
I think the Bill is perfectly drafted down to every comma and punctuation mark. To be slightly more serious, what we have sought to do in the drafting is to strike the balance between proportionate regulations and the overarching requirements for national security. That is the balance that we have struck and it is exactly for that reason that we already do in the Bill what the hon. Member for City of Chester and the shadow Minister seek with the amendment.
In section 135 of the Communications Act 2003, as amended by clause 12, Ofcom is already allowed to require information from providers about the future development of networks and services that could have an impact on the security of the network or service they are providing. That would enable Ofcom, for instance, to assess the security risks arising from the deployment of a new technology or from the proposed deployment of a new technology. For those reasons, I hope that the hon. Members are reassured not just that the Bill does what they seek, but that previous drafts of the Communications Act already did so.
I thank the Minister for giving way; in doing so, he shortens what I will say later. I think the Minister is saying that Ofcom has the power to require information, which is true, but the amendment is about providers proactively giving that information. Ofcom cannot request information about a change to the networks that it does not know is happening. I am hoping that perhaps what the Minister is implying is that he would expect Ofcom regularly to review what was changing in the networks and therefore make those requests for further information. Could he clarify that point?
The sort of horizon scanning that the hon. Lady describes is core to all essential regulation, and the relationship that Ofcom has with those whom it regulates promotes the ability to have such conversations. But as I said, the key point is that an operator that proposes knowingly to introduce a risk into its network would clearly not be complying with the statutory provisions of the Bill. That is the essential nub of the issue.
I enjoyed the semantic gymnastics by the hon. Member for City of Chester as he tried to expand the scope of the Bill, but I shall try to stick to what is in it. There is a lot of consensus across parties, so I shall resist the temptation of saying that £50,000 is a demonstration that Labour is willing to put a price on national security, which this party will never do, but I understand the points that he makes on both fronts.
The clause provides Ofcom with strengthened powers, including powers to give assessment notices to a provider, that are vital to enable it to fulfil its expanded and more active role. Assessment notices are an important new power in the regime that will give Ofcom tools to assess fully a provider’s security and the extent to which it complies with its security duties. It is Ofcom’s intention that when assessing a provider’s compliance, its first port of call would be to use its information-gathering powers under section 135 of the Communications Act 2003. Ofcom would then use its power to give an assessment notice if it wanted to check the veracity of the information or to follow up a security concern. While Ofcom will therefore use its powers in a targeted and proportionate way, it is also the case that a provider with good security practices would expect to be subject to a lighter-touch assessment. Providers’ duty to bear the costs of assessments will therefore have an incentivising effect.
The amendment would insert a new subsection into new section 105N, limiting the costs that Ofcom could incur in carrying out an assessment. Fundamentally, a hard cap of any sort will always be an arbitrary number which will potentially put an additional hurdle in place. It might be necessary for some of those tests to require genuinely extensive assessment—penetration testing, or red teaming, as exercises are sometimes called, where penetration tests mimic the action that an attacker might take to access the network. Those attacking actions may of course be from sophisticated sources, and the costs of mimicking them in an entirely legitimate way could be substantial; but it is right, in the interest of national security, that Ofcom does not reduce the quality of its testing. We would not seek to limit that either, notwithstanding its independence.
I can offer the Committee some reassurance, however, that Ofcom’s assessment costs will not be excessive. It has a general duty to act proportionately and to follow other principles representing regulatory best practice. Finally, a provider’s duty is to pay only such costs as are reasonably incurred by Ofcom in an assessment, so there is a balance there.
As to the proposed new subsection that would limit those able to carry out assessments to Ofcom or a UK Government agency, the assessments, as the hon. Member for City of Chester knows, may be complex and need specialist skills. Methods such as penetration testing might need specific technical skills and we should not limit Ofcom in that way. However, we should also bear in mind, as the hon. Member for Newcastle upon Tyne Central mentioned, that the independence and expertise of Ofcom is the greatest bulwark against such entirely unfounded but legitimate concerns as those raised by the hon. Member for City of Chester, about who might be appointed by this or any Government to carry out a task in the national interest. None of us would want—and I do not suggest that the hon. Gentleman is doing this—to get into the business of questioning Ofcom’s independence in performing the tasks in question.
I am somewhat concerned at the implication of what the Minister says. We cannot put a price on national security, and Ofcom has a role. In an evidence session, Ofcom’s representatives said that although its role excludes any question of its making security decisions, it would ensure compliance, yet now the Minister seems to be saying that Ofcom will not have the skills to ensure compliance. I agree that there are specialised skills. Penetration testing, for example, is a specialised skill, but I would argue that it is a skill that Ofcom should take on as part of this new remit. I say again to the Minister that the skills needed to ensure compliance should be within Ofcom’s remit, or should be better defined.
Ofcom itself is best placed to exercise discretion as to whether it should carry out those assessments in-house, or whether it should have the flexible capacity to have the capability brought in as necessary. Ultimately, I do not think that anyone would wish to prevent Ofcom from having the ability to do what it thinks necessary by forcing it to use in-house staff only, because we cannot predict the future, as Members on both sides of the Committee have highlighted. Although the cause that the hon. Member for City of Chester is pursuing is a noble one, its unintended consequence would be to constrain Ofcom in both the expertise that it has at its fingertips and the costs that it might incur. We would not want to limit Ofcom’s discretion to make those decisions as an independent organisation.
Actually, the amendment would not limit Ofcom’s discretion to bring in additional resources or skills. It would limit Ofcom’s discretion to Government agencies or organisations within the public sector, which, on matters of national security, we should be able to do.
If the hon. Lady were right, the only people from whom we would have heard evidence over the last few days would have been public sector employees. She knows just as well as I do that the cyber-security sector is a vast mesh of public and private expertise, which is inevitable given that we have private networks offering communications services. Although I understand her point, and I am all for Ofcom having as much expertise as it needs to do its job properly in-house, I simply do not think that we should constrain what it can access in the way that the amendment would.
On this, I think we probably agree on far more than we would perhaps like to admit, but the reason that this is a probing amendment, as the hon. Member for City of Chester said, is because imposing artificial constraints would not be beneficial to Ofcom’s work. We understand what he said, however, and in broad terms, the Government agree.
I am grateful for the debate and for the Minister’s response, but I do not intend to press the amendment any further. I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
I will go very briefly over the diversification strategy, which is essentially a £250-million initial tranche of investment to diversify the UK network, with a focus, to a certain extent, on open RAN, as the hon. Lady said. On the information that she would require, I agree with her so comprehensively that the provision is already in the Bill. Section 135 of the Communications Act 2003, as amended by clause 12—she is right that the provision is not in this clause—provides Ofcom with the power to gather information on diversification where Ofcom considers the information necessary for the purpose of carrying out its functions. Clause 12 specifically provides that such information can include information concerning future developments of a public electronic communications network or public electronic communications service that could impact on security. As I said, I agree with her so comprehensively that we had already foreseen the issue and the provision is already in clause 12. The addition of it to this clause would not change that fact. I hope that that provides—
I thank the Minister for those comments. He says that the provision is already in clause 12. This is obviously down to my lack of studying, and I thought that I had studied every line of the Bill, but where specifically does clause 12 refer to diversification of supply chains?
The approach that we have adopted across the Bill is that powers such as those in clause 12 are more than wide enough to cover exactly what is needed. What I am essentially saying, I suppose, is that the legal interpretation of clause 12 absolutely does what the hon. Lady seeks, because it is an absolutely essential part of one of the purposes of the Bill. That is why I hope she can take the necessary comfort to withdraw her amendment.
I am very happy to write to the hon. Lady to clarify why it is our belief that the Bill does that. What I would say is that the kind of specificity that she seeks would have the unintended consequence of narrowing what we do, rather than retaining the broad powers that we have in the Bill. As has been the case so often today, we do not disagree on the intent that she is seeking to obtain, and that is why the Bill is drafted as it is. As I say, I am very happy to write to her to try to clarify some of that.
We all agree that the Minister is someone whom we like and who has the best intentions. On that basis, and on the basis that we can table further amendments at this stage or on Report if his letter of reassurance should not be sufficiently reassuring, I beg to ask leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Ordered, That further consideration be now adjourned. —(Maria Caulfield.)