18: After Clause 14, insert the following new Clause—
“Horizon-scanning body
(1) Within three months of this Act being passed, the Secretary of State must establish a body corporate with a remit to consider emerging and future developments for the telecommunications sector for the purposes of identifying current and emerging security threats.(2) The body must include representatives from, but is not limited to— (a) the National Cyber Security Centre;(b) the intelligence services;(c) the National Cyber Force;(d) the Ministry of Defence(e) the Home Office;(f) the Department for Digital, Culture, Media and Sport;(g) the National Security Council;(h) the Investment Security Unit;(i) the Armed Forces;(j) OFCOM;(k) relevant industry bodies and companies;(l) relevant telecommunications and security experts.(3) The body must publish a report annually which is laid before both Houses of Parliament.”
Good afternoon, everyone. I am looking forward to the Committee session this afternoon. Two days ago was my first Grand Committee sitting as a Member of the House of Lords, and I was impressed by the quality of the contributions. I have been moved by the intellectual power of the people here and I look forward to that. I was grateful to the Minister for her contributions and the way she tried to answer the questions, even if one or two of them were not as well put as her Civil Service brief. I appreciated that, and it helps the Committee enormously when we have that positive, constructive engagement, even if there is a measure of disagreement at times. As I said at the beginning, a Bill like this unites us all in wanting to contribute in a way that defends and secures our country and democracies across the world. It is in that spirit that I move Amendment 18 and table Amendment 25 in my name, and I know the Minister will take it in that spirit.
I also thank the noble and gallant Lord, Lord Stirrup, very much for supporting both the amendments. I know the Committee is looking forward to his informed and experienced contribution to our discussions. Although the noble Lord, Lord Alton, is not present—he will no doubt read Hansard—I also thank him for his support for Amendment 25.
These are probing amendments that challenge the Government to explain to the Committee and the wider public their thinking and why these amendments are not necessary. Their various measures are contained elsewhere in the Bill, but it is an important debate for us to have because, as all of us have said, national security is the first duty of any Government and that includes Her Majesty’s Opposition and other parties. That is what “Government” means in total—the responsibility of us all to our citizens.
These amendments are also saying that, to secure democracies across the world in the face of the autocratic challenges and threats we see, it is necessary for us to work well not only in our own country but with our allies. That is clearly something the Government wish, as well.
My Lords, I do not want to bang on for a long time because, in a way, this falls in with things such as the technical advisory committee. It is all part and parcel of the same thing, and we have to keep our eyes open and start forward scanning and see what else is out there.
Ofcom is not in fact a department; I seem to remember that it was set up by Europe through regulations and that originally, it reported via Parliament to the European regulators. I am not entirely sure what Ofcom’s chain of command is; I must do some research into it. Having this buried inside such a body without proper parliamentary scrutiny is unwise, so it is only sensible to embed the principle of having proper advisory committees. This is an obvious no-brainer: we need people with these abilities and skills to be advising on this stuff, and I cannot understand why there would be any objection to it.
Amendment 25 covers the very good point about long-term strategy. As was pointed out on Tuesday, our relationship with the Five Eyes could easily change. There have been efforts from time to time to drive a wedge between us, and we need to start looking at that. One cannot assume that the status quo regarding who is an ally or friend will continue for ever. The fact that we are in different parts of the globe and therefore perhaps in different trading blocs could cause undue pressure, so we must have this horizon-scanning, long-term attitude.
The speech of the noble Lord, Lord Coaker, reminded me of the Tallinn Manual and the question of when cyberwarfare escalates to actual warfare because your entire infrastructure and systems have been taken down. It is a very interesting document. I skimmed through it a long time ago, but it was very eye-opening and before we just leap in, people should take a look at it.
That is really all I have to say. This is so obvious, and I just hope that the Government are going to do something about it.
My Lords, in speaking to Amendments 18 and 25, to which I have added my name, I have in mind the very purpose of the Bill itself, which is, I take it, to ensure the security and resilience of our telecommunications capability here in the UK. The Bill as drafted places certain duties on the providers of those capabilities and gives powers to the Secretary of State to make regulations and issue codes of practice. This is all well and good, but these somewhat mechanistic, albeit welcome, measures will not by themselves result in the necessary degree of security and resilience.
As I said at Second Reading, things move quickly in the world of technology, and they will move even faster during a determined attack on our telecommunications infrastructure. If we are to respond successfully, we will need to be both agile and adaptable. The measures in the Bill will, by themselves, not ensure this.
One of the reasons why we are even considering this Bill is concerns over the position of Huawei in our telecommunications architecture, the clear channel that runs through that company to the Chinese Communist Party, and the ensuing vulnerability of our system. None of this comes as a great surprise, but we have allowed ourselves to get into a position where we are now having to play catch-up. This is largely because we spent the first half of the last decade thinking almost exclusively of the economic opportunities offered by China and very little about the associated security risks; in other words, our decision-making process was unbalanced and distorted. Without proper safeguards, we could easily find ourselves in a similar situation with regard to some future threat.
What sorts of safeguards might help prevent such an occurrence? There is no single answer to this question but at the very least we need a process that provides an appropriate degree of horizon scanning and that, importantly, draws in expertise from across technology, business and security organisations and, indeed, from across different government departments, to give us the best chance of coming to a balanced view.
My Lords, it is a privilege to speak after the noble and gallant Lord, Lord Stirrup. I support Amendment 18, in the names of the noble Lord, Lord Coaker, and the noble and gallant Lord, Lord Stirrup, and Amendment 25, which is also in the name of the noble Lord, Lord Alton.
These amendments propose a pathway forward that would ensure we are well equipped to handle the challenges that will inevitably come our way in the next decade. Amendment 18 places a requirement on the Secretary of State to create a body designed to analyse and consider existing and emergent threats in the telecommunications sector, incorporating representatives from the major bodies of our national security matrix. This body would then be required to lay an annual report before all Members of Parliament, ensuring adequate parliamentary scrutiny and oversight. Indeed, if not for Back-Bench agitation, we might still be aimlessly integrating Huawei into our critical infrastructure, lagging behind our Five Eyes allies in recognising the security threat that such high-risk vendors pose.
Amendment 25, building on the horizon scanning outlined in Amendment 18, requires the Secretary of State to publish a long-term telecommunications strategy in partnership with the aims and outcomes of our closest Five Eyes and NATO allies. In alignment with the integrated review of security, defence, development and foreign policy, this strategy would ensure that long-termism is built into our thinking across both our economic and strategic aims in the coming decade.
We have one of the most sophisticated and advanced intelligence-gathering apparatuses in the world. We are a significant asset to our Five Eyes and NATO allies and a crucial linchpin in ensuring the international order. Yet we have been slow to respond to the rapidly changing digital landscape that we find ourselves in.
An obvious example of this is the much-discussed high-risk vendor, Huawei. It is extraordinary to think that all the way back in 2013 a report from the Intelligence and Security Committee concluded that Huawei posed a risk to national security and that private providers were responsible for ensuring the security of the UK telecoms network. Yet now, according to Ofcom, Huawei accounts for about 44% of the equipment used in providing superfast full-fibre connections directly to homes, offices and other businesses in the UK.
My Lords, Amendment 18 would require the Secretary of State to
“establish a body … to consider emerging and future developments for the telecommunications sector for the purposes of identifying current and emerging security threats.”
Amendment 25 would require the Secretary of State to
“publish a long-term strategy on telecommunications security and resilience.”
These are very sensible proposals, and the speakers have made a cogent case. I thank the noble Lord, Lord Coaker, for his wide-ranging and positive introduction to these amendments.
This is an extremely complex area, as we have heard, not only within our discussions of the Bill but beyond. We know from bitter experience that something can be flagged as a risk and then, without proper focus on it—given all that Governments have to focus on —follow-through is less than systematic. Think of pandemics, flagged, not least in the 2015 strategic review, yet followed through with little or no preparation. This picks up a theme that the noble Baroness, Lady Stroud, emphasised in relation to Huawei: awareness but lack of action. Therefore, the case for a body that looks at this area in the widest sense is compelling.
3:00 pm
The range of representatives, including the National Cyber Security Centre, the intelligence services and the government departments mentioned, makes sense. I would add that the FCDO should also be included, as it has responsibility for strategically assessing the role of states and non-state actors. Clearly, BEIS should be added too, given that it houses the unit supporting the National Security and Investment Act. I note that the list is not limited to the bodies listed. Nevertheless, if noble Lords bring this back, I urge them to include the FCDO and BEIS.
As the noble and gallant Lord, Lord Stirrup, said, the responsibilities here must be met. Amendment 25 echoes the discussions we had on Tuesday about the vital need to work together with NATO, the Five Eyes and other allies, including on research and development, adoption and deployment of key technology, and overall strategy. As I emphasised on Tuesday, out of the EU we are weaker, and it becomes even more important when facing the economic power of a country such as China that we work together with our allies, perhaps even more effectively than we have in the past. We cannot allow ourselves to be picked off as individual countries; moves to do that are well under way, and it will take determination to resist them. That is why the structure of the EU, for example, helps in this regard. We need to be clear-eyed about our position out of the EU and seek to compensate for it.
Amendment 25 references the integrated review. Surely the Government, even though they have already driven a coach and horses through that review by cutting aid, should in every department be aligned to the threats identified in that review.
In terms of horizon scanning, we need resources far beyond our own. It is therefore vital that we work closely with others. As the noble and gallant Lord, Lord Stirrup, said, these amendments would improve the Bill in terms of its central aims. I therefore commend the amendments to the Minister.
My Lords, I thank the noble Lord, Lord Coaker, for tabling these amendments and for his very generous opening remarks. He reminds us that we must remain vigilant about current and emerging threats to our telecoms networks. Rightly, he also urged the Government to communicate how we will do that in a way that makes sense to the public. Today, we are focusing on this Bill and how it is designed to protect our networks now and into the future.
As we heard, Amendment 18 calls for a body to be set up for the purposes of monitoring current and emerging threats to our telecoms sector. The amendment lists a number of committees, departments, organisations and agencies that should be represented on this body.
The noble and gallant Lord, Lord Stirrup, asked: if not here, where? I will try to answer that question in my remarks.
I assure noble Lords that we already have established procedures to monitor current and emerging threats to the telecoms sector. The National Cyber Security Centre undertakes regular risk assessments of such threats, and those assessments are used to inform government policy. For example, the code of practice the Bill will allow us to issue will be informed by the National Cyber Security Centre’s assessments.
In addition, the Government already have forums in which emerging threats and new technological developments are discussed with industry. The noble Lord, Lord Coaker, asked me to give examples of a particular domestic focus. This is one of them. For example, the National Cyber Security Centre’s network security information exchange is a trusted community of security professionals from across the telecoms sector who come together on a quarterly basis to discuss openly and share information on security issues and concerns. There are also established channels for the kind of cross-government and interagency working that the noble Lord’s amendment seeks to formalise. The Government do not see that it would be necessary to establish a new body corporate, which would simply risk duplicating the work of existing forums.
20 of 134 shown
Our telecoms infrastructure, as I saw yesterday when I went to Airbus—a brilliant company in Portsmouth—is clearly critical to our defence and security as well as our economic prosperity. The Bill’s impact assessment rightly highlights the threats we face, stating that the
“most significant cyber threat to the UK telecoms sector”
comes from other states. It is not a terrorist threat in the normal sense of a threat from individuals; but when powerful states can take action against us, that is significant for our country and for democracies across the world. The impact assessment continues:
“The UK Government has publicly attributed malicious cyber activity against the UK to Russia and China as well as North Korea and Iranian actors”.
That is worrying and significant for all of us.
Both amendments say that our approach to security has to be co-ordinated domestically and with our allies. That is, frankly, a challenge for any Government. As to the list of bodies I have included in the amendment, I am sure the Minister could say that I have not mentioned this or that body. However, those that I have listed are based on my own research. I am sure that other significant bodies should be on it. However, the point is that the challenge is significant. How will cross-departmental co-ordination on the current security infrastructure work at a domestic and international level? I know that the response is often that we have the National Security Council and that is why it was set up, and the Prime Minister chairs it. It is obviously incredibly important and it would be ridiculous to say that it is anything other than an effective co-ordinating body. However, that does not alter the fact that coming to the table are significant actors in their own right within the sphere. It is right to ask, how do the Government expect the new duties placed on the telecoms sector to work and be policed by all the various bodies?
The amendments also highlight the question of how we future-proof this legislation against current and emerging threats. To be blunt, it is hard enough to deal with the current threats as we understand them. At security levels far higher than those we have in this Committee, there will be those who will not only be trying to deal with the current threats but looking at what might happen, five, 10 or 15 years down the road. That is a real challenge for anyone. How do we stop those threats?
We have come to a view about Huawei. Some may argue that perhaps we should have done so two, three or four years ago but we are where we are and we have now concluded that all Huawei equipment should be out of our country’s networks by 2027. Would it not have been better to have predicted that several years ago, so that we would not have to try to stop that company’s involvement now? How does the Minister believe that the current structures and those envisaged in the Bill will deal with not only current but future threats?
The concern is shared by our allies. The recent NATO summit communiqué stated:
“NATO and Allies…will maintain and enhance the security of our critical infrastructure”,
including “communication information networks” such as 5G. I should say to the Minister—the noble and gallant Lord, Lord Stirrup, will have much greater understanding and awareness of this issue—that one of the most significant moves that the alliance made in that communiqué was to confirm that a cyberattack, including on our own telecoms networks, could trigger an Article 5 response.
With the Committee’s permission, I will read from paragraph 32, as it is so important:
“We reaffirm that a decision as to when a cyberattack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis. Allies recognise that the impact of significant malicious cumulative cyber activities might … be considered as amounting to an armed attack.”
I emphasise “armed attack”. We and our allies are saying, quite rightly, that the theory of deterrence is now being applied to the world of cyber. The Minister will understand the principle that an attack on one is an attack on all, so theoretically it could be one of our allies that is subject to that attack and that we come to the defence of. Again, I think that is quite right. Does the Minister have any comment highlighting how the Government see that being taken forward?
Amendment 18 seeks to establish a horizon-scanning body for our telecommunications sector, to identify current and emergent threats and produce an annual report for Parliament. The body would include representatives from the Armed Forces, relevant departments, the intelligence services and the National Cyber Security Centre, as well as industry and security experts. Can the Minister explain how the Government will watch out for future threats without such a body? How will cross-departmental work be managed? Will the new telecoms advisory council include security experts or ex-military personnel?
The Spectator is not a magazine whose political opinions I agree with, but this is so serious. The front page this week features the relationship between China and Cambridge. Whatever the rights and wrongs of it, I am just reporting to the Committee what is said in a well-regarded magazine that I and many other noble Lords read. To have that on its front page, and then inside, significant articles about the relationships and the potential difficulties that they may cause for us on a security level, shows to the Committee and the wider public how difficult this is becoming. You have one of the most brilliant universities in the world being questioned in terms of its relationship with China, in a well-regarded publication. That is a challenge for us as we take this Bill through and what it means for us in maintaining our security to defend our democracy.
Amendment 25 seeks to ensure that the Government publish a long-term strategy for our telecommunications security and resilience. Can the Minister outline how she expects that to happen? We should consider how to collaborate more effectively with our allies—NATO and the Five Eyes—and consider proper resourcing of UK security infrastructure. I believe DCMS is now developing a long-term strategy to consider how international standards can be developed. Can the Minister explain how the UK will work with our allies on R&D or adoption and deployment? This is critical for the security of our nation, so it would be helpful for the Committee to understand.
I hope that the Minister takes my contribution in the spirit in which it is meant, which is to challenge in a way that I hope is helpful to the security of the nation and of our telecoms infrastructure and businesses. The last year or two have been a bit of a wake-up call for all of us, including me, as to the potential threats that there are. Given the security level that we are all at, what some people working at STRAP levels know and understand about the threats to our nation one can only begin to imagine. I look forward to the Minister’s response and to the contributions of the noble and gallant Lord, Lord Stirrup, and other Members of the Committee. This is meant to be a probing, challenging amendment. I hope that the Minister will be able to respond in that spirit, and that we can all look forward to seeing how the security of our nation can be effectively maintained against the threats as we understand them now and as they may emerge in the future. I beg to move.
That is what Amendment 18 seeks to do. It will not cure all ills but it will provide us with a mechanism to drive adaptability, not just in our architecture but in our thinking, something that is traditionally hard to achieve. Of course, the Minister may say that the Bill is not the place for setting out this kind of thing. My response to that would be: if not here, then where? The responsibilities outlined in the amendment must be met if we are to achieve the Bill’s laudable purpose.
Amendment 25 is in many ways a follow-on from Amendment 18. It calls for the deliberations of a horizon-scanning body and the ensuing policies and actions to be presented to Parliament in the form of a comprehensive strategy. Most importantly, it seeks to ensure that such a strategy is coherent with other elements of government policy, as set out in various documents, such as the integrated review, and in other legislation, such as the National Security and Investment Act. It also seeks to encourage international co-operation in this regard. I believe this is essential, since we rely so heavily on collective security for our national safety. The noble Lord, Lord Coaker, has already highlighted the importance that NATO now attaches to the whole area of communications and cyberspace.
Taken together, these two amendments put in place measures that would improve our agility and adaptability and thus strengthen the Bill in terms of its ultimate purpose. If the Government are going to set their face against such measures in this legislation, I ask the Minister to explain how the essential functions they prescribe are to be carried out and how Parliament can be confident of their success.
In a Statement to Parliament last year, the Foreign Secretary made the welcome announcement that
“high-risk vendors should be excluded from all safety- related and safety-critical networks in critical national infrastructure”—[Official Report, Commons, 28/1/20; cols. 710-11.]
and yet, due to how embedded this vendor has become in our critical infrastructure and the lack of competition, Huawei, as we have heard, is not set to be removed as a provider until 2027. It should never have reached this point. A horizon-scanning body and deeper parliamentary oversight would ensure that we are not left sleeping at the wheel again. How was it that our Five Eyes allies were significantly more alert to this risk than we were?
Furthermore, without cross-body co-ordination, the rapid advances in technology we are set to witness over the coming years will make it even more difficult to adapt to threats as they manifest themselves. GCHQ Director Jeremy Fleming suggests that the UK needs to prioritise the advances in quantum computing, as well as working with allies to build better cyber defences and shape international standards and laws in cyberspace. With quantum computing becoming more mainstream, there is a risk that a sudden increase in processing power could render existing encryption methods useless.
These are just some of the challenges we face. The future of our security and sovereignty will depend on the steps we take in this Bill. According to MI5, at least 20 foreign intelligence services are actively operating against UK interests. We have a remarkable security and intelligence community but, as we enter this new era, we must accept that our ability to adapt to emerging challenges will be the defining feature that drives us forward and keeps us ahead of other nations that would challenge our national interests.
We have seen how easy it is for a digital attack to break down our critical systems. Just last month, a ransomware attack in the US took down the entire Colonial Pipeline infrastructure, which transmits nearly half the east coast’s fuel supplies. Analysts have suggested that hackers could have been inside Colonial’s IT network for weeks or even months before launching their ransomware attack.
This issue extends into the digital space. A 2018 report commissioned by the US Senate intelligence committee, The Tactics & Tropes of the Internet Research Agency—a Russian propaganda unit—revealed that there was:
“A sweeping and sustained social influence operation consisting of various coordinated disinformation tactics aimed directly at US citizens, designed to exert political influence and exacerbate social divisions in US culture”.
I posit that we may not even be aware of the scope of the disinformation and destabilisation occurring online that is challenging our sovereignty and internal security.
I support these amendments in light of the fact that it has taken considerable Back-Bench activity to alert us to the security issues posed by high-risk vendors; that we are still not thinking clearly on China; and that we need systems and structures to ensure that long-termism is built into our thinking across both our economic and strategic aims in the coming decade.
The noble Lord’s amendment would also make provision for Parliament to receive annual reports on current and emerging threats from this new body. The National Cyber Security Centre already publishes guidance as and when threats develop. Furthermore, as noble Lords are aware, the Intelligence and Security Committee is able to see and scrutinise the National Cyber Security Centre’s assessments of current and emerging threats. Given that there is already this provision for parliamentary oversight, I do not consider that laying a report before Parliament annually would be necessary.
Amendment 25 would require the Government to publish a long-term telecoms security and resilience strategy, covering various topics set out in the amendment, within six months of the Bill’s Royal Assent, and would require this strategy to be laid before Parliament. The Government share the noble Lord’s desire to ensure that this country is fully prepared to overcome future challenges to the security of our telecoms networks. However, the publication of such a strategy is, we feel, unnecessary because recent government reports and announcements, publicly available, already address these topics. The noble Lord will be aware that the Bill is the result of the recommendations put forward in the UK Telecoms Supply Chain Review Report, published in July 2019. That report, along with the Government’s announcements last year, has already set out our strategy for addressing telecoms security risks, particularly relating to supply chains.
In addition, we published our 5G Supply Chain Diversification Strategy last November. This includes our strategy for collaborating with allies on future network research and development, and influencing global telecoms standards. As I will touch on when we debate Amendments 24 and 28, this work is progressing well and the Government’s response to the recent diversification taskforce report, published earlier this month, sets out the steps we are taking to deliver on our goals.
More broadly, the Government’s approach to telecoms security and resilience is informed by cross-government priorities. These include the integrated review, published in March, which committed to launching a new comprehensive cyber strategy this year. The strategy will set out how we will build up the UK’s cyber resilience, deter our adversaries and influence tomorrow’s technologies so that they are safe, secure and open.
Alongside this, a national resilience strategy will ensure that our suite of systems, infrastructure and capabilities for managing the full range of resilience risks becomes more proactive, adaptable and responsive to future threats and challenges. Work is well under way to develop these cross-cutting strategies, and we will ensure that our approach to telecoms security and resilience continues to take them into account.
I think the noble Lord, Lord Coaker, and the noble and gallant Lord, Lord Stirrup, know very well that there is a tension between having a greater degree of focus in a strategy and a wider scope. We believe that we have struck the right balance in this area.
The noble Lord, Lord Coaker, asked about cyber deterrence. He may be aware that the Government will shortly bring forward legislation to counter state threats of the type he described. It will create new offences, tools and powers to detect, deter and disrupt hostile state activity by states targeted at the UK. He also referred, in the context of future-proofing, to the National Security Council. Among its responsibilities is examining forward-looking strategies.
The noble Baroness, Lady Northover, mentioned the role of the FCDO. Of course, she will know that the First Secretary of State provides leadership across departments to ensure that the Government’s response to cyberthreats and our ambition as a cyberpower are fulfilled.
My noble friend Lady Stroud talked about the Government being asleep at the wheel in relation to Huawei. I think that is a little harsh. The Government have always considered Huawei to pose a relatively high risk to the UK’s telecoms networks compared with other vendors. A risk mitigation strategy has been in place since Huawei began to supply equipment to UK public telecoms providers. Obviously, the Government have announced extensive advice to manage those security risks based on the work of the experts at the National Cyber Security Centre. Most recently, the Secretary of State announced advice that providers should remove all equipment made by Huawei from 5G networks by the end of 2027.
The noble Lord, Lord Coaker, asked about the presence of security experts on the recently announced diversification council. I can confirm that a senior official from the National Cyber Security Centre will attend to provide that expertise.
The noble Earl, Lord Erroll, asked what parliamentary scrutiny there was of Ofcom. The chief executive and other senior officials from Ofcom give regular evidence to parliamentary Select Committees, including an annual scrutiny session with the DCMS Select Committee, and it also lay its annual report and accounts before Parliament.
I hope I have managed to address most of the points raised and to reassure your Lordships that, while we recognise the very valid questions that have been asked, we believe that we have the balance right in terms of co-ordination and strategy. With that, I ask the noble Lord to withdraw his amendment.