Chi Onwurah Portrait Chi Onwurah (Newcastle upon Tyne Central) (Lab) [V]
- Hansard - - - Excerpts

I beg to move, That the clause be read a Second time.

Baroness Winterton of Doncaster Portrait Madam Deputy Speaker (Dame Rosie Winterton)
- Hansard - -

With this it will be convenient to discuss the following:

New clause 2—Provision of information to the Intelligence and Security Committee—

“The Secretary of State must provide the Intelligence and Security Committee of Parliament as soon as is reasonably practicable with a copy of—

(a) any direction or notice (or part thereof) that is withheld from publication by the Secretary of State in the interests of national security in accordance with section 105Z11(2) or (3) of the Communications Act 2003;

(b) any notification of contravention given by the Secretary of State in accordance with section 105Z18(1) of the Communications Act 2003;

(c) any confirmation decision given by the Secretary of State in accordance with section 105Z20(2)(a) of the Communications Act 2003;

(d) any reasons for making an urgent enforcement direction that are withheld by the Secretary of State in the interests of national security in the accordance with section 105Z22(5) of the Communications Act 2003; and

(e) any reasons for confirming or modifying an urgent enforcement direction that are withheld by the Secretary of State in the interests of national security in accordance with section 105Z23(6) of the Communications Act 2003.”

This new clause would ensure that the Intelligence and Security Committee of Parliament is provided with any information relating to a designated vendor direction, notification of contravention, urgent enforcement action or modifications to an enforcement direction made on grounds of national security.

New clause 3—Network diversification—

“(1) The Secretary of State must publish an annual report on the impact of progress of the diversification of the telecommunications supply chain on the security of public electronic communication networks and services.

(2) The report required by subsection (1) must include an assessment of the effect on the security of those networks and services of—

(a) progress in network diversification set against the most recent telecommunications diversification strategy presented to Parliament by the Secretary of State;

(b) likely changes in ownership or trading position of existing market players;

(c) changes to the diversity of the supply chain for network equipment;

(d) new areas of market consolidation and diversification risk including the cloud computing sector;

(e) progress made in any aspects of the implementation of the diversification strategy not covered by subsection (a);

(f) the public funding which is available for diversification.

(3) The Secretary of State must lay the report before Parliament.

(4) A Minister of the Crown must, not later than two months after the report has been laid before Parliament, make a motion in the House of Commons in relation to the report.”

This new clause requires the Secretary of State to report on the impact of the Government’s diversification strategy on the security of telecommunication networks and services, and allow for a debate in the House of Commons on the report.

Amendment 1, in clause 14, page 21, line 27, at end insert—

“(3) The Secretary of State must, in the process of carrying out reviews and drafting subsequent reports, consult the appropriate ministers from the devolved governments.”

Chi Onwurah Portrait Chi Onwurah
- View Speech - Hansard - - - Excerpts

It is a great pleasure to speak in this debate on Report. As I may have mentioned before, I am a chartered electrical engineer; before I entered Parliament, I worked for 20 years helping to build out the networks—fixed wireless and mobile—that became the internet. I am proud of that work and of the immense contribution that the telecommunications sector makes to our society, our economy and our security.

I am very pleased that today we are dedicating parliamentary time to our telecommunications sector. I thank all Members across the House who served on the Bill Committee for our many hours of fruitful debate as we strove to secure improvements to the Bill. I also thank the officials of this House, particularly in the Public Bill Office and the Library, who have provided such excellent support.

I declare an interest: many provisions in the Bill deal with the regulator Ofcom, and my last telecommunications role was with Ofcom. I joined it in 2004 just a few weeks after it was born, when it was to be a light-touch regulator, small and nimble. As a consequence of my time in the sector, I have been calling for greater security, particularly for our mobile networks, since I first entered this place in 2010.

The Labour party and I welcome the intention behind the Bill, but a number of areas in it need to be addressed. We are here today because of the Huawei debacle of the Government’s making. The Government have been forced to require the removal of Huawei, at an estimated cost of £2 billion and a delay of two to three years to our 5G roll-out, after overseeing Huawei’s rapid rise to be the foremost supplier to the telecoms company that carries our country’s name and universal service obligation: British Telecom.

The telecoms supply chain review found that there were no incentives for our mobile network operators to provide secure networks. Moreover, successive Tory Governments have squandered the world-leading position on broadband infrastructure left to them by Labour in 2010, as the United Kingdom has fallen down the league table from 27th to 47th in the world for average internet speeds. This lack of sovereign capability and absence of an effective telecoms strategy has resulted in our dependency on high-risk vendors, which the Bill seeks to address.

I am sure that you will be pleased to know, Madam Deputy Speaker, that I will not repeat the same arguments on Huawei that have dominated the debate over recent years. Given where we are now, we support the aims of the Bill. National security is the first duty of any Government, and Labour will always put national security first. Our telecoms infrastructure is clearly critical to our defence and security, as well as our economic prosperity.

We agree that, as the Bill sets out, the Secretary of State should have powers to designate vendors of concern and require mobile network operators to take appropriate action, and that Ofcom should have the power to monitor and enforce those directions. However, we wish to improve the Bill in three key areas, which our new clauses 1, 2 and 3 seek to address.

The first area is national security. Labour prioritises national security, and the sweeping powers that the Bill gives the Secretary of State must be used in the interests of securing our critical national infrastructure. Removing Huawei does not, in and of itself, make our networks secure now or protect them against future threats; that requires a number of additional measures, some of which are in the Bill and some of which are not. For a start, if our telecoms network is to be secure, there must be expert democratic oversight of the measures that make it secure—yet the Bill makes no provision for Parliament’s experts, the Intelligence and Security Committee, to be informed or consulted. We want to fix that.

Secondly, the security of our network depends on an effective plan to diversify the supply chain. We are very concerned that the Bill does not even mention diversification and thus risks short-changing our national security, our technological sovereignty and our telecoms infrastructure. We want to ensure that progress is made in diversification as a prerequisite for the security of the telecoms network and a UK sovereign capability should be a part of that.

Thirdly, the Bill gives many new responsibilities and powers to Ofcom. That follows a vast expansion of Ofcom’s remit over the past 10 years. We want to make sure that Ofcom is appropriately resourced to carry out its duties and to be forward looking, not simply looking back.

One of the great failings of the Bill is that the Government are so fixated on fighting the last battle—the Huawei battle—they are not looking to the future. That is, in part, because various Government Back-Bench Members have very real concerns about the rise of China and its influence on our infrastructure. But these concerns, however well justified, seem to be blinding the Government to threats that are not Chinese in origin. We want to fix that. We want Ofcom to have the resources and the will to monitor the evolution of our telecoms networks, so that future threats, wherever they come from, can be identified and we do not find ourselves forced, as we are now, to make a huge change to our networks, at a huge cost to our economy.

I turn to new clause 1. As I said in my opening remarks, I joined Ofcom in 2004 when it was in its infancy as a slimline regulator. I kept a copy of the Communications Act 2003 on my desk. Since then, that Act has already doubled in size as Ofcom has acquired responsibility for critical national infrastructure: the BBC; the Post Office; online harms—that Bill is coming down the road; and, in this Bill, parts of national security as well. This latest expansion of Ofcom duties will necessarily add a strain not only to its budget, but to its resources. In January, in response to my written question, the Government stated that Ofcom would have the resources that it needs to do the job, in which case the Minister should be keen to support new clause 1, which requires Ofcom to report on the adequacy of its resources in fulfilling its functions under the amendments made in the Bill.

Ofcom lacks experience in national security measures—this was discussed during the evidence stage—and the expansion of duties will require the recruitment of people with the required level of security clearance and experience. That is not going to be easy, as we heard during the evidence sessions. Emily Taylor of Oxford Information Labs said that Ofcom

“will have to acquire a very specific set of skills and capabilities and that will require substantial investment and learning as an organisation”.––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 72, Q84.]

These skills are rare. The memo from the Minister, for which I am grateful, sets out how Ofcom and the National Cyber Security Centre will work. While it is welcome that they will work together, it did not provide the reassurance that we need. Indeed, it suggests that Ofcom will be entirely dependent on the NCSC for cyber skills and therefore, presumably, unable to understand the advice that it receives from the organisation.

New clause 1 requires Ofcom to report annually on the adequacy of measures taken by network providers to comply with changes introduced in the Bill, empowering the Government to track the effectiveness of the legislation. However, new clause 1 does more than that. It ensures that Ofcom has the human and informational resources to be forward looking. As I said, we are concerned that the Bill is backward looking and does not look to future threats. New clause 1 requires Ofcom to provide an assessment of emerging or future security risks based on its interrogation of network providers’ asset registers.

I am pleased that the Government are taking steps—as I understand it from the Minister—to formalise existing best practice in the telecoms sector and ensure that national providers maintain asset registers. I can tell Members that that has not always been the case. As the Minister said during the Committee stage, asset registers are an

“important part of the existing landscape”––[Official Report, Telecommunications (Security) Public Bill Committee, 21 January 2021; c. 162.]

But I ask him: why does he not take this further? We need to ensure that we have a good understanding of our national assets and so can assess emerging threats. Doing so would have made Huawei’s dominance visible earlier and it would now enable warning signs of future concerns—and there are future concerns. Again, Emily Taylor said:

“I feel a little like we have been fetishising 5G and a single company for the last two years, perhaps at the expense of a more holistic awareness of systemic cyber-security risks… Healthcare systems probably would not have been top of the list two years ago, but now they are. The SolarWinds attack shows that the identity of the vendor is not always the key risk point. SolarWinds is a very trusted vendor from a like-minded, close ally country, and yet it turns out to be a critical single point of failure across key, very sensitive Government Departments, both in the US and the UK.––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 74, Q88.]

So I want the Minister to consider that in his response on this proposal.