My Lords, this past year has put into sharp focus the importance of digital connectivity, which has been vital in keeping both people and industries going in these challenging times. In the other place, my right honourable friend the Secretary of State spoke about the potential for 5G and gigabit broadband to transform our lives. The Government are investing billions of pounds into these cutting-edge technologies. However, we can be confident in the technology only if we know that it is secure.
That is why we have introduced the Telecommunications (Security) Bill. The Bill will create one of the toughest telecoms security regimes in the world. It will protect our telecoms networks even as technologies grow and evolve, shielding our critical national infrastructure both now and for the future. I will briefly outline the context for the Bill and why it is necessary, before turning to the intent of its clauses and delegated powers.
The security and resilience of 5G and full-fibre networks is not just in the national security interests of the UK. It is also crucial to the UK’s economic interests and future prosperity. The House will recall that this Government published the UK Telecoms Supply Chain Review Report in July 2019. It found that telecoms providers lack incentives to apply security best practices and recommended a new framework for the UK’s public telecoms providers that will respond to new and emerging threats to the security of our networks. The review also recommended new national security powers for the Government to control the presence of high-risk vendors in UK networks. The Bill is our response to those recommendations.
I will now outline the intent of the Bill’s clauses, which can be broadly separated into two groups. Clauses 1 to 14 introduce a stronger telecoms security framework, placing new security duties on public telecoms providers. Clauses 15 to 23 introduce new national security powers to address the risks posed by high-risk vendors.
I turn first to Clauses 1 to 14. The Bill amends the Communications Act to create a tough new telecoms security framework, which consists of three layers. First, the Bill places strengthened overarching telecoms security duties on public telecoms providers in primary legislation. Secondly, specific security requirements will be set out in secondary legislation. Thirdly, guidance on the detailed technical measures that providers could take to comply with their legal obligations will be set out in a code of practice. The new legal duties in the Bill and the measures in the secondary legislation will apply to public telecoms providers operating within the UK.
To illustrate the specific measures that providers may be expected to adopt, we published an illustrative first draft of the security framework regulations on GOV.UK in January. We have been, and continue to be, in close contact with industry following the publication of the draft regulations. Comments received as part of this engagement are being considered in the drafting of the final version. We will launch a public consultation on the draft code of practice once the Bill achieves Royal Assent. This will ensure that views from all impacted groups are heard ahead of the new framework coming into force.
My Lords, those of you who participated in this House’s consideration of the National Security and Investment Act may, I am afraid, detect a few similarities in the nature of my contributions to this legislation. That is an unfortunate consequence of the Government’s failure to listen to the strength of feeling in the House on the subject of oversight during those debates.
Like that Act of Parliament, the Bill seeks to address concerns first raised by the Intelligence and Security Committee some seven years ago in its report, Foreign involvement in the Critical National Infrastructure, namely that there were serious failings in the way in which successive Governments managed the entry of foreign telecommunications companies into the UK market. Clearly, the Government have been listening to what the ISC, with its unparalleled access to highly classified material, has been able to discover on behalf of Parliament, leading to both pieces of legislation.
The ISC therefore welcomes this Bill. We strongly support the principle behind it and the new safeguards it introduces. However, as with the National Security and Investment Act, we are concerned that the Bill does not provide for sufficient parliamentary oversight of these important new powers. As noble Lords are aware, the Bill provides significant powers for the Secretary of State to designate certain vendors as high-risk and to direct telecommunications providers to abide by certain requirements about the use of equipment from designated vendors. When the Secretary of State issues, varies or revokes a designation notice or a designated vendor direction, he will lay it before Parliament, except when this is contrary to national security.
This is a perfectly reasonable provision. I, for one, would not wish the Government to publish information that would damage national security. However, as things stand, this results in a significant gap in Parliament’s ability to scrutinise the Government’s decision-making and use of these powers. I am sure noble Lords agree that this is not what Parliament expects.
My Lords, I thank the Minister for her very clear exposition of the purposes and modus operandi of this Bill. It is a great pleasure to follow the noble Lord, Lord West—Admiral West—and I look forward to working with the noble Baroness, Lady Merron, who is on the Front Bench.
During late summer last year, we debated the Telecommunications Infrastructure (Leasehold Property) Act, when this security Bill was held out as a carrot, largely to try to curtail discussions of a Chinese nature. It did not work, of course, and we had those discussions, but here we are at last with this Bill. As we have heard, it provides the Government with considerable new national security powers to issue directions to privately-held public telecommunications providers, primarily with the aim of managing issues arising from high-risk vendors. As such, the Minister will acquire wide and sweeping powers.
The Bill also gives Ofcom wide duties and legal powers to monitor and assess the security of telecoms providers. For teeth, as we have heard from the Minister, companies that continue to use high-risk vendors could or will face very heavy fines. Perhaps the Bill’s headline outcome is the new controls on the use of Huawei 5G equipment, including a ban on the purchase of new Huawei equipment from the end of 2021 and a commitment to remove all Huawei equipment from 5G networks by 2027.
How will these Benches respond? First, I am happy to confirm that Liberal Democrats are strongly in favour of having secure telecommunications networks. I am sure the Minister is relieved to hear that. Secondly, Liberal Democrats want to see Huawei technology removed as quickly and expediently as possible. However, I note, as the Minister hinted at but did not detail, that the issue is with more than one supplier and more than one country. I add that the issue of the treatment of Muslim Uighurs does not stop with this Bill. The genocide going on there creates much wider implications for our relationship with China than the issue of which technology makes our phones work. These implications are very important, but I understand that they are beyond the scope of this Bill.
My Lords, I welcome this Bill. It is not only necessary, it is also overdue, but it is just one step on a path along which we have much further to go. By itself the Bill will have only a limited impact. If we are to realise its benefits, we need to think about the wider questions it leaves unanswered. Addressing these questions is crucial to our future safety and prosperity.
Throughout history, technological advances have brought with them exciting new opportunities, but they have also introduced serious vulnerabilities. Meanwhile, as our society has grown more complex, interconnected and interdependent, so its ability to weather shocks has grown more fragile—to the point now that serious technological disruptions could have catastrophic consequences. This should not be taken as an argument against embracing technology and the benefits it confers. It should, though, make us think very seriously about the new vulnerabilities we create and how we might mitigate the associated risks.
The Bill goes some way towards meeting that responsibility, but it does not provide the whole answer. As the title of the Bill tells us, the issue we confront is one of security, but we have to ask ourselves what exactly we mean by that term. In my view, we do not mean invulnerability. We should certainly seek to defend critical areas such as our telecommunications from attack, but a defender always has certain disadvantages. The choice of when, where and how to attack lies with the assailant and the defender is, at least at first, on the back foot. This problem is particularly acute when the space or activities to be defended are widely spread, as with our telecommunications network. We cannot therefore assume that an attack will fail, no matter how well we prepare. Quite the opposite: we have to assume at least a degree of success. So, the security of our national telecommunications infrastructure becomes a question less of how to prevent attacks entirely and more of how well we can absorb and recover from them.
My Lords, it is a pleasure to speak in this debate. In the time available, I want to welcome the Bill, which, as we have already heard, delivers on promised made by the Government and Ministers in 2019 and 2020: that a comprehensive telecoms security framework would be put in place. As my noble friend the Minister said, this is a comprehensive security framework that will provide an opportunity to look beyond just one company or one country of concern. As we have heard from previous speakers, over the years there will of course be more threats and more areas and companies of concern that will arise.
I agree with the noble and gallant Lord, Lord Stirrup, that of course this is a first step. As we know, with security threats and with emerging technology, over the years a more comprehensive response will be needed, but I think the Government are to be congratulated that the midst of the disruption over the last 15 months, this telecoms security framework Bill has been brought forward as was promised. The other side to this, as we have already heard, is noble Lords’ desire to hear about the pace and rollout of the diversification strategy. My noble friend the Minister will, I hope, be taking this from the House and be able to address it in her comments.
As noble Lords will be aware, the use of 5G technologies, the importance of 5G to the delivery of the internet of things, the use of artificial intelligence and other technologies, are only going to grow. Just this morning, I was part of this House’s Covid-19 Committee listening to evidence about the increase, as we have seen, of course, of people working from home over the last year, running their businesses from home and, as some of us have seen more closely than others, home schooling—which we all hope there will be no need for again in future. Without secure, reliable and resilient broadband internet and 5G connectivity, we will put ourselves at a disadvantage as a country.
2:56 pm
Lord Maxton (Lab)
My Lords, I hope to be very brief. We ought to remember three things. First, our lives are very short—although I am 85—in comparison with the 300 years of the Industrial Revolution. Secondly, that is 0.1% of Homo sapiens’ existence on this world. Thirdly, the world is much older still. Is the Minister assured that the development of innovation that is part and parcel of what we want to see over the next few years is going to continue, or is this going to be a block on the continuation of that?
More importantly, much of what Ofcom deals with is international, not national. Therefore, it is going to be much more difficult to respond to an entitlement of that nature internationally than nationally. It is easy to deal with four or five companies that deal with telecommunications within this country, but it is not so easy to deal with them internationally, particularly with Facebook and Twitter and all the other things that go with that. I have no idea where they come from. Does anybody know where they come from? Netflix is a massive organisation, now producing more than the BBC, but where does it come from? Where exactly is it, in terms of telecommunications generally? Amazon Prime—again, where does it come from? I pay my bill to Amazon Prime regularly, but where on earth do I pay it to? Where does it go?
I suggest three things: first, that we deal with the international issue; secondly, that we deal with the issue that I raised to start with; and thirdly—more importantly—that we ask whether our democratic system keeping up with the improvements in science and technology that are happening around the world at present. Yes, in 1820, two-thirds of people in Britain lived below the level of absolute poverty. Now, the United Nations is talking about abolishing that term because that level no longer exists. Poverty exists, of course, but absolute poverty does not exist. On vaccines, even in the present crisis, the number of people who are vaccinated now is higher than in the past. The number of people who can read and write is also higher. So, why are we not tackling the problem of changing our constitution to ensure that we keep up with the scientific and technological improvements happening around the world?
My Lords, I am grateful to the Minister for her clear and convincing explanation of the need for this Bill, which I support. I have a possible interest as a beneficiary of the British Telecom pension scheme but, as it was a nationalised industry when I worked for it and our main preoccupation was the introduction of subscriber trunk dialling in the 1960s, I fear that much of my knowledge of the technical side of the telecommunications industry is 60 years out of date.
I mention in passing the report by the Delegated Powers and Regulatory Reform Committee, which says, on the power in Clause 3, that the committee is unconvinced by the department’s case and recommends a negative procedure for the code of practice. That seems to me to be a concession that the Government could consider. I noticed with approval the Minister’s conciliatory response when she spoke about the committee’s report.
There are three issues I want to raise briefly. The first concerns whether the Secretary of State’s directions and designations under the Bill are justiciable and whether issues of national security could end up being decided not by Ministers but by the courts. For example, could a potential supplier, such as Huawei, assert that there was no risk to national security in any ministerial designation, that decisions were being taken to protect domestic suppliers and that no reasonable Secretary of State could have reached such a conclusion and seek an injunction? In which case, despite the passage of the Bill, we would find that there was extensive and time-consuming litigation, during which time investment in telecoms infrastructure would be frozen and potential security issues would be ventilated in the courts. Can my noble friend say that every precaution has been taken to avoid such a scenario?
Related to this is whether the Secretary of State has to give reasons for his decisions. We are told in the Explanatory Notes:
My Lords, I thank the Minister for her very fair introduction to the Bill. As a former member of Huawei’s international advisory board, I am somewhat conflicted in a discussion about the principles of the Bill, especially following the various twists and turns in government policy. I very much support the 5G supply chain diversification strategy, but the questions raised by my noble friend Lord Fox and the noble Lord, Lord Young, need to be answered. How it is progressing and where any financial support is going need to be the subjects of regular report by government, given that in the short term we are faced by a stark dual-supplier market.
As my noble friend Lord Fox has indicated, however, I want to focus on, and confine myself to, a debate about the wide-ranging new powers in the Bill for the Secretary of State and Ofcom and the lack of adequate checks and balances, especially in terms of oversight, whether parliamentary, judicial or, indeed, technical, which permeates the Bill. If there are going to be these extensive new powers, we need to make sure that they are exercised properly and with due process and consultation.
The Delegated Powers Committee report referred to by the noble Lord, Lord Young, is just the tip of the iceberg. It draws the attention of the House to the proposed new Section 105E of the Communications Act 2003, which gives the Secretary of State power to issue, revise or withdraw codes of practice about security measures that should be taken by providers in the performance of their duties to prevent security compromises. There is a duty to consult with Ofcom and providers but no oversight or approval role for Parliament.
I am glad to say that the committee, in the light of the importance of the code in assessing compliance and in enforcement by Ofcom, was unconvinced by the department’s claim that this was too detailed and technical, and “not legislative”. As the committee says,
20 of 43 shown
The Bill provides Ofcom with a new general duty to seek to ensure that telecoms providers comply with their new security duties and builds on Ofcom’s existing security duties. Ofcom will have new powers to assess providers’ compliance. In cases of non-compliance, Ofcom will be able to issue a notification of contravention and, ultimately, financial penalties of up to 10% of turnover. Recognising that Ofcom will have expanded duties, DCMS is working with it to ensure that it has the necessary capability and capacity to deliver those vital functions. We have already increased Ofcom’s security budget for this financial year by £4.6 million to reflect its enhanced security role, in addition to its existing funding. Ofcom will also continue to work closely with the National Cyber Security Centre in the delivery of its security functions. The two organisations have published a statement, available on Ofcom’s website, which sets out how they plan to work together.
Clauses 15 to 23 introduce new national security powers to manage the risks posed by high-risk vendors in our telecoms networks. The Bill includes new powers for the Secretary of State to designate specific vendors in the interests of national security and issue directions to public communications providers. Those directions will place controls on a provider’s use of goods, services and facilities supplied by a designated vendor. Once a designated vendor direction is issued, the Secretary of State can direct Ofcom to collect information from providers and report back so that the Secretary of State can determine whether a provider is complying with a direction. Government amendments were passed in Committee in the other place to bring the powers in Clauses 15 to 23 into force immediately upon Royal Assent.
The Government have announced that UK telecoms providers should cease to install Huawei equipment in 5G networks after September 2021 and remove all Huawei 5G equipment by the end of 2027. We published an illustrative direction and designation notice in November 2020 to demonstrate how the powers in the Bill could be used in relation to Huawei in line with these announcements. Once the Bill receives Royal Assent, any proposed designated vendor directions and notices will be subject to the relevant consultation requirements set out in the Bill.
I will now turn to the delegated powers in the Bill. It contains nine delegated legislative powers to make secondary legislation and two administrative powers. Six of the delegated legislative powers are to amend the maximum penalties specified in the Bill. These are Henry VIII powers and are subject to the draft affirmative resolution procedure. A further two are powers to create regulations setting out specific measures to be taken to comply with the new security duties and are subject to the negative resolution procedure. Finally, one power is to make regulations commencing certain provisions in the Bill and is not subject to any procedure. The two administrative powers are the power to issue codes of practice and the power to give designated vendor directions to providers.
Our approach to the delegated legislative powers is in keeping with precedent. The powers to amend maximum penalties in the Bill are consistent with those in the Communications Act 2003. I appreciate the need for Parliament to have the right mechanisms to scrutinise the powers that we are taking in the Bill. I am confident that the approach we have taken finds the appropriate balance. As the House would expect, we have submitted the delegated powers memorandum to the Delegated Powers and Regulatory Reform Committee. I thank it very much for its prompt report on the memorandum, which I read with interest. The Government will consider the committee’s recommendation concerning the power to issue codes of practice about security measures and aim to respond to the report fully in due course.
To conclude, the Bill has not been designed around one company, one country or one threat. Its strength is that it will create an enduring and effective telecoms security regime that will be flexible enough to keep pace with changing technology and changing threats. I hope that noble Lords on all sides of the House will welcome it. I beg to move.
There is a simple and elegant solution to this problem: any designation notices or designated vendor directions that cannot be laid before Parliament for reasons of national security should be provided instead to the ISC for scrutiny. Parliament established the ISC for this purpose. Indeed, it is the only committee of Parliament that has regular access to the most sensitive protectively marked information. ISC colleagues have made these points repeatedly in the other place but they, again, have fallen on deaf ears. The Government’s resistance to this idea, coming so swiftly after their resistance on the NSI Act, gives the unfortunate impression that they are seeking to avoid scrutiny—an impression I am sure Ministers will wish to correct.
The Government have been clear that they do not think the ISC’s scrutiny role should be included in the Bill. This is regrettable. We should not knowingly be passing legislation that has holes in it. However, once again, there is a ready solution to that problem. As noble Lords are aware, the Justice and Security Act 2013 requires the ISC’s specific remit to be set out in a memorandum of understanding between the committee and Prime Minister. The Government told Parliament that the MoU would provide the ISC with oversight of substantially all the Government’s intelligence and security activities. However, with the passage of the NSI Act and now this Bill, the MoU is self-evidently out of date. It is a very simple matter to update it to provide the ISC with oversight of these powers in the specific and limited way I described a few moments ago.
The committee has formally raised this issue with the Government and asked them to take forward updating the MoU to ensure that it meets the commitments the Government made to Parliament during the passage of the Justice and Security Act. For that reason alone, I do not intend to table an amendment that would put the ISC’s essential oversight role on these powers in the Bill. However, the Government should be in no doubt that they must address this issue; the current situation is not tenable. If the Government do not wish to amend the Bill to fill this oversight gap, they must give a commitment to update the ISC’s memorandum of understanding and provide the oversight that Parliament requires in that way.
A large body of opinion from all corners of the House feels strongly about this and, should another Peer table an amendment on it, I would support it. The Minister will recall the strength of feeling in the House when the Government failed to provide for ISC oversight of the powers introduced by the National Security and Investment Act. I urge the Government to work constructively with the ISC on this issue.
Thirdly, Liberal Democrats strongly believe that the Government must now invest in developing telecommunications technology in the UK. We want to see an increase in the diversity of the UK’s telecoms supply chain. We also believe that a strong relationship with the European Union and the intelligence alliance Five Eyes will help us to ensure that security risks are dealt with quickly. Finally, Lib Dems want to see stronger protections for the privacy of people in the UK.
What we will be testing in Committee is threefold. First, does the Bill effectively shut out the technology it is meant to shut out? The trick to making communications secure will be the nuts and bolts of the Bill. Secondly, do the Minister and Ofcom have the right powers, and the necessary checks and balances, to make this Bill work? Thirdly, when it comes to supply chain diversification, can we actually shut out Huawei et al and have an effective communications network?
One at a time, first let us look at the prime intent of the Bill: to keep our networks secure. On the face of it, this is another skeleton Bill. With the presentation of a few statutory instruments here and there, the Government should theoretically be able to react swiftly, but are the Minister and Ofcom placed to pre-empt issues, rather than react to them? There is a technical difficulty here: in 5G particularly, the distinction between the core and edge of networks is blurred. With technology moving faster than government can, that distinction is almost meaningless and the threats will change from week to week. So can the Minister explain how Ofcom can ever successfully be ahead of the game and not chasing issues?
As we know, plans for removing Huawei have been announced, but this does not stop with Huawei. For example, legislation in the US is considerably broader. It identifies specific companies, including Huawei, but also ZTE Corporation, Hytera Communications Corporation Limited, Hangzhou Hikvision Digital Technology Co. Limited and Dahua Technology Co. Limited. Also, US legislation covers telecommunications and video surveillance and services. Given the news this weekend, the Minister might like to review where we source CCTV cameras from in this country—I note that that was discussed in a previous debate. Can the Minister assure your Lordships’ House that this legislation will cover the full range of security threats that we need to cover or will we see another Bill to broaden it yet further into surveillance and surveillance services?
Turning to the powers granted by this Bill, it gives wide-ranging powers to the Secretary of State and next to no oversight to Parliament. Included are sweeping powers to address matters of national security and it is not clear, although the Minister has hinted, how Ofcom will really interact with the intelligence community. Furthermore, as we have heard from the noble Lord, Lord West, the committee, which has express oversight of national security, has been excluded from scrutinising how this legislation will operate. I support the words of the noble Lord, Lord West. In addition, there is no dedicated role for judicial or technical oversight. This is very different from the Investigatory Powers Act 2016, in which such provision exists. I expect my noble friend Lord Clement-Jones to comment more on this issue.
The Bill also gives sweeping powers to Ofcom. We heard from the Minister how Ofcom will be co-operating with the intelligence services, but this creates a conflict of culture within Ofcom and will inevitably lead to more opaque operations which will, in turn, create issues elsewhere. I am still not clear how that interface will work. It will be useful to investigate that in Committee.
Finally, I turn to supply chain diversity. The Minister in the Commons said:
“We must never find ourselves in this position again. Over the last few decades, countless countries across the world have become over-reliant on too few vendors”—[Official Report, Commons, 30/11/20; col. 75.]
Fine words, I am sure, but they come from a Government whose Chancellor and Secretary of State for BEIS have cancelled the industrial strategy and disbanded the Industrial Strategy Council. Undaunted, alongside the Bill the DCMS has published a diversification strategy. I suggest that Oliver Dowden, who adorns that document, is rowing somewhat in the opposite direction from the Chancellor of the Exchequer. Assuming that this strategy makes some headway against a running tide within government, it has three legs: “supporting incumbent suppliers”, “attracting new suppliers” and accelerating “open-interface solutions”.
I will take those legs one at a time, beginning with “supporting incumbent suppliers”. I am bemused by the term “incumbent”. I think it means domestic suppliers, because Huawei is an incumbent supplier and we have heard that it will not be getting support. Assuming domestic suppliers is what is meant—there are world trade rules that make it difficult to preferably treat domestic suppliers, but assuming these can be surmounted —can the Minister give us the current estimate of how many incumbent domestic suppliers are in our network and what percentage, in terms of value, they represent?
To fill that gap, we are going to need pretty rapid innovation. Innovation is not easy and the speedy innovation we have just seen with the Covid vaccine, for example, was helped by two important conditions: first, a very strong existing R&D base in this country and secondly, a guaranteed private sector market for the vaccine. I do not think these conditions exist for telecoms technology. So, what is Her Majesty’s Government’s assessment of telecoms research and development in the UK? How will the private networks be encouraged to guarantee a market for any UK-based and UK-developed products that emerge?
The second strategic leg is “attracting new suppliers”. I suspect this is going to be an easier job than building an industry from scratch in this country. Will the Minister confirm how the vetting process will work? I assume this will be in the code of conduct. Will the networks have to be externally cleared? Will they be subsequently audited, and how deep does approval go? Does every component of every sub-assembly need to go through a process, and how will this all unfold in building the networks? It begins to sound quite cumbersome if there is going to be a nuts and bolts check of the technology.
The third leg is accelerating “open-interface solutions”. The Government are moving ahead at speed with open-access radio networks and open RAN piloting, and should be congratulated. If it goes to plan, when will we start to see this becoming significant? How will the Government get the existing vendors to increase the scope of their interoperability? What, in a sense, is in it for them?
We overwhelmingly support the objectives of this Bill. There are serious issues, particularly in the absence of detail and scrutiny. The regulations remain a mystery until they are published, and the process is potentially pretty bureaucratic. I think the Government have recognised that there are issues, which probably reflects why there are four days in Committee ahead of us. We may need all four of those days.
In its first report of May last year, the National Infrastructure Commission acknowledged as much and recommended an architecture which can “anticipate” challenges, “resist, absorb” and “recover” from attacks and adapt accordingly. It calls on the Government to set “resilience standards”, appoint regulators to “oversee regular stress testing” and require that:
“Infrastructure operators produce long term resilience strategies”.
Can the Minister tell the House what progress has been made in implementing these recommendations?
All of this seems to throw up two different categories of question: what policies and actions would best protect our infrastructure from attack and achieve the necessary resilience, and how do we provide appropriately rapid assessments and directions to counter the effects of such attacks?
On the first point, at which this Bill is aimed, the Huawei experience would seem to suggest restricting the provision of parts of our infrastructure to trusted suppliers and operators, but who are they and how are they to be engaged? They cannot be drawn solely from the ranks of “British” companies—whatever that means in today’s globalised business environment—since we do not have the mass, the spread or the technologies within our economy to meet all our own needs. It is certainly possible to identify less risky 5G suppliers than Huawei, but not ones that are risk free.
Even where we do have a national capability to provide and operate parts of our infrastructure, problems remain. Are the Government to identify such national champions in selected areas of business? This may be necessary in some very restricted areas, but such dirigisme has a poor track record in the UK for two principal reasons. First, the Government are not very good at identifying winners. Secondly, in order to remain in business, such champions need a regular drumbeat of UK orders, which, in turn, stifles competition and efficiency. There are many salutary examples of this in the history of defence procurement.
A more productive approach might be to decrease reliance on one or even a few suppliers and thus build a degree of redundancy into the most critical parts of our infrastructure. This would not be the cheapest solution, at least in the short term, but the level of insurance that it provides might be well worth paying for. The Government need to develop an approach that balances cost, risks and resilience—that constantly monitors and rebalances this equation in the context of our complex and dynamic world.
This requirement, alongside the observation that some of our judgments will inevitably prove to be wrong, and in the expectation that some attacks will succeed, at least in part, brings me to my final point. Things move quickly in the world of technology, and they will move even faster during a determined attack on our telecommunications infrastructure. If we are to respond successfully, if we are to absorb the first blow, recover from it and reshape ourselves for the future, we will need two things: agility and adaptability. Agility in this sense is our ability to respond quickly to those things we did not or could not foresee—to change our systems, plans and, indeed, our thinking on the fly to check and outmanoeuvre our opponents. Our resilience and ability to recover will depend on this. Adaptability, by contrast, is about our ability to change our longer-term posture in the light of emerging threats and opportunities and to learn from both failure and success. Agility keeps us in the fight and helps us master immediate challenges. Adaptability maintains our readiness in a changing world.
Provision of these crucial attributes cannot be left to the individual service providers, but neither can they be delivered by the Government or by a regulatory body such as Ofcom. Those organisations can and should formulate policies, allocate resources and check compliance, but we also need a much more flexible arrangement to provide effective command and control of both our detailed preparations for, and our response to, attacks. Perhaps there is a role here for an expanded National Cyber Security Centre. So, while I welcome and support this necessary Bill, I urge the Government to view it as just one stage of a much longer journey. It is a good plan, but like all plans it will not survive first contact with the enemy. If we are safely to reap the benefits of new technologies, we need ways not just of regulating them but of dealing swiftly and competently with the dangers presented by their malign exploitation. This Bill goes only so far; we need to go much further.
The need for that resilience—as well as having secure networks—means that if we are asking companies to take out the technology from a particular other supplier, or to not use technology from particular countries in future, for extremely understandable, wise and prescient security reasons, we will need to make sure that we build up a secure, long-lasting and sustainable supply chain strategy in this country. This may not relate only to domestic companies; we have allies around the world and will want to be able to work with other companies and countries around the world to make sure we have that diversity of the supply chain. The lack of diversity has been referred to as a market failure, and I think that was correct. The Government have now very much got on top of this and got ahead of this. I hope the Minister will, as the Bill goes through this House—I will have great pleasure in supporting it as it does—and in future, be able to keep the House updated about the delivery of that diversification of the supply chain, as was announced by my right honourable friend the Secretary of State in November last year. I wish the Bill every success as it proceeds.
“Designations and directions may only be made in the interests of national security.”
Paragraph 35 then sets out the factors that the Secretary of State will take into account, which presumably could give ammunition to a potential litigant. Subsection (5) of new Section 105Z1 of the Communications Act 2003 inserted by Clause 15 says:
“A designated vendor direction must specify … the reasons for the direction”.
However, the next subsection says that “specifying reasons” need not be given if it
“would be contrary to the interests of national security”,
while, in new subsection (2)(1) we are told that a direction can be given only
“in the interests of national security”.
So, we seem to be going round in circles. I wonder whether my noble friend can shed some light on this paradox.
My second question relates to responsibility for telecommunications security within the Government. The Explanatory Notes tell us:
“The security of telecoms infrastructure needs to be considered within an international context”
and we read how cyberwarfare is going to displace conventional warfare. The powers given to the Government in the Bill to protect the integrity of our communications network rest with DCMS but, at the moment, the Secretary of State is not on the National Security Council, which to me seems a surprising omission. The National Cyber Security Centre, whose work is central to the operation of the Bill, is part of GCHQ, which reports to the Foreign Secretary. The Cyber and Government Security Directorate sits within the Cabinet Office, leading on the co-ordination and delivery of the classified national security risk assessment, which assesses the most significant risks to the UK. When I answered Questions for the Cabinet Office in Your Lordships’ House, I had to answer Questions about Huawei—or, if I did not answer them, I at least replied to them. Finally, a significant proportion of telecommunications research is led and funded by the Department for Business, Energy and Industrial Strategy and its external bodies, such as UK Research and Innovation and Innovate UK, report to BEIS. Can my noble friend explain, perhaps in a letter, the inner wiring of responsibility for dealing with cyberwarfare between the FCDO, the Cabinet Office, the MoD, BEIS and DCMS?
My last point concerns the ambition to create one of the toughest security regimes in the world and set up the UK as a global leader in the telecoms supply chain, a point made by my noble friend Lady Morgan of Cotes. I very much welcome this. Other countries in the free world face the same challenges as the UK in protecting the integrity of their national networks and others are reducing their dependence on Huawei. So, there is a real opportunity here to win new markets, create fresh investment and employment in the UK on the back of this Bill and build back better. To what extent is the UK liaising with other countries to ensure that the standards—the codes of practice mentioned in the Bill—are recognised by other countries, so that the new supply chains that we plan to create in the UK enable us to penetrate new markets? Can my noble friend amplify what she told us in her letter of 2 June about the steps we are taking to set up the UK as a global leader in this field? What progress has been made in attracting new suppliers to the UK market? What is the follow-up to the telecoms diversification task force under my noble friend Lord Livingston? It reported in April with a wide range of recommendations: the co-ordination of government activity, a targeted international engagement strategy, joint working on standards and buy-in by other countries.
I conclude by quoting from that report—-:
“It is therefore essential that the UK coordinates its efforts with like-minded nations and focuses investment in areas that can succeed on an international, not national scale. … If the Government is to move the dial towards the UK’s long-term vision for the market, it will require buy-in and support from a critical mass of nations.”
I have not seen a government response to those thoughtful and wide-ranging recommendations. Perhaps, again in a letter, my noble friend could set out how we plan to build on the recommendations in that report.
With these comments, I wish my noble friend well as she pilots this Bill on to the statute book.
“The Bill provides for codes of practice to play a significant role–both in relation to the exercise of OFCOM’s regulatory functions and in legal proceedings - in supplementing the important duties to take security measures that the Bill imposes on providers.”
It concludes:
“In our view, it is unacceptable for codes of practice that will have the significant statutory effects provided for in this Bill to be subject to no Parliamentary scrutiny procedure.”
I differ from the committee simply in that, in my view, the procedure to be adopted must, at minimum, be the affirmative procedure. As Comms Council UK has pointed out, Section 105E is not the only proposed new section which gives the Secretary of State extensive powers; there are others. Proposed new Section 105Z1, for example, gives power for the Secretary of State to outlaw the use of individual vendors, where there is potentially no parliamentary oversight, if the Secretary of State considers it would be contrary to national security—as has been referred to by other noble Lords. Surely that is exactly where oversight by the Intelligence and Security Committee, as the noble Lord, Lord West, has so cogently said, or by the Investigatory Powers Commissioner, as the Constitution Committee has suggested, would be not only appropriate but essential. The whole area of enforcement of compliance and, under proposed new Section 105Z27, as regards power to require information and the requirement not to disclose, needs similar oversight.
Nor is there any dedicated role for judicial oversight. Unlike similar legislation, such as that under Part 8 of the Investigatory Powers Act 2016, there are no provisions for judicial oversight of the Secretary of State’s powers. This is compounded by the fact that, under Clause 13, in any appeal to the Competition Appeal Tribunal, the tribunal cannot take account of the merits of a case against the Secretary of State, the rationale for which, as the Constitution Committee says,
“is unclear and is not justified in the Explanatory Notes.”
Can the Minister make a better fist of the explanation today?
With regard to Ofcom’s new powers to ensure compliance with security duties, as set out in the proposed new Section 105M, how will these relate to Ofcom’s existing powers under Sections 3 and 6 of the Communications Act 2003? Will this duty and the new powers Ofcom is being given still be subject to good regulatory practice so that, for example, it still must have regard to the principles of transparency, accountability, proportionality and consistency, and not impose unnecessary burdens? How will this fit in with the statement to be made by Ofcom under proposed new Section 105Y? What assurance can the Minister give? Will we see a draft during the passage of the Bill?
Similar considerations apply to the new Ofcom powers to assess compliance under Clause 6 and in regard to inspection notices under Clause 19. As the council has also pointed out, there are no clear mechanisms for technical feedback or expertise to be fed in. It observes that many of the technical requirements that will be placed on its members are not in the text of the Bill but in accompanying documents which are either yet to be published or are receiving very little scrutiny.
Already it is clear that, in the draft Electronic Communications (Security Measures) Regulations, which are to be made by virtue of the proposed new Sections 105B and 105D, giving the Secretary of State power to make regulations to require telecoms companies to take “specified security measures” and “in response to security compromises”, there are real issues with regard to provisions about patches and supply chains and definitions regarding audit and monitoring of foreign network operations centres, and it is not clear that expert technical industry comments are being taken on board. What further consultations are planned? Is this not exactly where a technical advisory board and/or panel, as under the 2016 Act, is needed? Will they even be subject to the affirmative procedure in Parliament?
This lack of clarity and transparency is causing a great deal of uncertainty within the industry. Measures are being proposed that are either technically unworkable or potentially damaging to the strength and health of the UK telecoms industry. Particular concerns arise for providers whose networks are not based purely in the UK and who do not have the relationships with the department, Ofcom and the NCSC that domestic providers may have if there is no structured consultation, oversight and update process when codes are being drawn up. BT itself says:
“we believe greater clarity is needed on OFCOM’s planned approach, with safeguards introduced in the Bill to ensure operator burdens are proportionate.”
It also makes the point that the flexibility in the Bill should not be used to bring forward any deadlines for removal of equipment. What assurance can the Minister give on this?
As well as concerns about the new powers, there is also concern reflected by the Constitution Committee about the width of crucial definitions such as “security compromise” and “connected security compromise” contained in the Bill, and the consequences that flow, particularly as regards planned outages and the need to make a clear distinction between reporting on security compromises and on resilience.
I think that I have gone into enough detail at this Second Reading to amply demonstrate that we have quite an amendment job ahead of us in Committee and on Report.