Telecommunications (Security) Bill (Third sitting) Debate
Full Debate: Read Full DebateSara Britcliffe
Main Page: Sara Britcliffe (Conservative - Hyndburn)Department Debates - View all Sara Britcliffe's debates with the Department for Digital, Culture, Media & Sport
(3 years, 11 months ago)
Public Bill CommitteesProfessor Webb, would you like to respond?
Professor Webb: I certainly agree with all that. I have written standards myself and even run a standards body, so I know how they work. The important point is that it is not possible for a Government just to say, “We are going to influence that standard.” Standards are influenced by the working papers written by the companies that attend the standards body. The UK Government themselves could not really have an influence, and nor could a university or any other organisation like that, not unless they spent inordinate amounts of money and hired a lot of people to write a lot of papers. There needs to be a concerted global or western European effort, or some kind of larger scale activity that can help the larger companies with the resources and expertise and the standards bodies to step up their efforts.
Q
Professor Webb: I think the Bill is fine when it comes to potentially delivering the security desires. It seems to be a very flexible Bill and has the capability to do all those kinds of things. My key worry is more one of proportionality. The Bill essentially says everything must be done to make sure that networks are completely secure. Of course, security is extremely important, but we could have a situation where there is a very tiny risk of some security breach but the mitigation is inordinately expensive, and that might result in higher consumer costs for mobile phones.
Ofcom will need to weigh up that proportionality and make sure its response is correctly balanced, but I do not see that in the Bill. I worry that the risk aversion that I think will happen automatically with the regulator may result in excessive security measures that penalise consumers when they are not particularly necessary. That is my biggest concern looking at the current structure.
Emily Taylor: I agree with William’s overview of the Bill. It is great to see that the industry welcomes it. We heard from Ciaran Martin yesterday in his evidence to the National Security Strategy Committee that industry asked for this, because it had reached the limit of what it could do on a voluntary basis. It is great that it will lead to substantial investments and security. The telecoms security requirements are almost a recipe book—a very clear set of instructions on how to build more secure networks, which is great, particularly the focus on securing the management plane.
However, as William has described, in certain scenarios, there are almost unlimited liabilities for providers, not just to their customers, but to every person who could be affected by a contravention under clause 8. The inspection notices give very wide powers, including entry to premises, and the provider pays for that, so there is not much incentive for Ofcom as the regulator to think about whether this is justified value-for-money-wise and how to target interventions. I could go on, but the other question I have is about Ofcom’s capacity in this sector, because it will have to acquire a very specific set of skills and capabilitie,s and that will require substantial investment and learning as an organisation as well.
Q
Professor Webb: No, I was not.
Emily Taylor: No.
Q
Dr Drew: The two essentially go together. If you look at the membership and those who take part in ITU standard setting committees and groups, you will see a predominance of not only state representation from China, but also representation of Chinese companies.
I think it needs to be made clear to our providers the benefits to them of being able to set standards; I believe this has been overlooked. The easiest way to do that is to simply look at some of the technical standards that have been set or lobbied for in this group by companies such as Huawei and ZTE, which are essentially entrenching their technical standards into a global standards body—that obviously gives them an advantage in producing that output. I think our companies could benefit in exactly the same way, and they would certainly benefit from taking part.
On having providers be more proactively involved, I think it would make complete sense for these actors to be made to inform Ofcom, or whichever regulator is chosen, of significant changes to their supply chains. It would be akin to having a black box where we go, “Okay, this black box must output something secure, but we don’t need to know how it gets there.” I think we should know, as much as is possible, who is involved in the supply chains to reach our eventual telecoms network.
Q
Dr Drew: It is undeniable, as the previous witness stated, that this Bill will increase costs and potentially slow down the pace at which development of these technologies, to the standards that are now being asked for, can be done. I have been asked similar questions before about what is the cost of us not getting to 5G roll-out as soon as possible. My general response has been to point out that although 5G is a backbone technology that provides access, we have very few practical applications of the speeds and connectivity that this network will provide us with.
It is something that you might see on your phone, but the increase in speed from having a 5G connection will be almost so fast as to be unnoticeable to the normal user. We have not got to the point where we have large city-wide technologies that will draw on this infrastructure, such as traffic management, health systems and economic production systems.
Although there might be a delay and an increase in cost—which again, I think we should try to meet in a way that incentivises more players to come into this market—I think this delay is not crippling. That is because, at the moment, although the 5G technology itself is maturing, the uses of that technology are still immature and I do not think we are losing out too much if we have a slight delay, with the benefit of reaching greater security.
Q
Dr Drew: I believe they were. I have seen a lot of attempts to quantify the damage or impact of limiting our vendor net, as it were. With the removal of Huawei, I have seen multiple attempts to put a value to that—of the slowdown and having to go to different vendors. I am uncertain as to the accuracy of any of those, and I think that it would be very difficult to put a number on that in any useful sense.
My impression is that there is nothing that should stop us from being able to enact the goals of this Bill and the incentives to diversify the market, while also being able to develop and invest in the next stage of 5G use, which is its actual application, and to marry those two up together in a manner that provides us with both security and financial and economic benefit from putting these systems in place.
Q
Dr Drew: I think what needs to be considered in that question is the type of resources that will be the hardest for Ofcom to acquire. I frankly believe it is not necessarily technology; I believe it is actually personnel. The edge that is given to companies that have already been mentioned in your hearings today—Google, Microsoft, Facebook et al—is not necessarily in the technology, but in those who design the technology. Those people are hard to come by at the level that we require them at. They are also very hard to keep, because once they reach that level of acumen and they have Google, Facebook or Amazon on their CV, they can pretty much choose where they go and, often, how much they ask for in the process.
I think the biggest issue that Government face—not only in Ofcom, but in regards to future technology policy—is attracting and keeping those individuals who can provide the services and understanding, as well as develop the tools, that a future Government will need. If you can demonstrate a way to capture that talent and retain it, I think that would go a long way to soothing any potential questions about whether Ofcom will be capable of meeting the requirements of this and other Bills. This goes across all Departments, I feel.
Simon, do you have anything to add?
Simon Saunders: No, not in that area. It might be relevant to mention, just to make the point that it can be done, that I actually joined Ofcom from a role at Google.
Q
Lindsey Fussell: Are you referring there to the high-risk vendor powers?
Yes.
Lindsey Fussell: Yes, I think so. It is important to say that, across the scope of the whole Bill, it is not Ofcom’s role to make national security judgments. That is really important. Clearly, that is the Government’s and the Secretary of State’s role, taking advice from the NCSC and the intelligence agencies. In relation to telecoms security, that has enabled us to take the very detailed work and the threat assessment that the NCSC has done, which have been translated into a set of requirements in the code of practice, and to apply those and work with operators to monitor and enforce that compliance without having to make those national security judgments ourselves. On high-risk vendors, I think it inevitable that there will be more national security judgments to be made, so it is quite proper that that role sits with Government rather than the regulator.
Q
Lindsey Fussell: As I say, we have existing networks security responsibilities, so the issue of security clearance is one that we already need to deal with. I think the point that I have just made is important: we will not be making national security judgments, and that means that we will need access to less national security information than you might imagine. I do not think that we will be routinely handling national security information, but where the NSCS feels that it is required, there are clearly provisions in place for that.
Having said that, as now and in future, there are occasions when we have to handle sensitive information, and we do have the necessary security clearances in place at different levels for our staff to do that. As we recruit, we will obviously ensure that people have those necessary security clearances so that we can handle any sensitive information that we are given.