Telecommunications (Security) Bill - Second Reading

Part of the debate – in the House of Lords at 2:17 pm on 29 June 2021.

Alert me about debates like this

Photo of Baroness Barran Baroness Barran The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport 2:17, 29 June 2021

My Lords, this past year has put into sharp focus the importance of digital connectivity, which has been vital in keeping both people and industries going in these challenging times. In the other place, my right honourable friend the Secretary of State spoke about the potential for 5G and gigabit broadband to transform our lives. The Government are investing billions of pounds into these cutting-edge technologies. However, we can be confident in the technology only if we know that it is secure.

That is why we have introduced the Telecommunications (Security) Bill. The Bill will create one of the toughest telecoms security regimes in the world. It will protect our telecoms networks even as technologies grow and evolve, shielding our critical national infrastructure both now and for the future. I will briefly outline the context for the Bill and why it is necessary, before turning to the intent of its clauses and delegated powers.

The security and resilience of 5G and full-fibre networks is not just in the national security interests of the UK. It is also crucial to the UK’s economic interests and future prosperity. The House will recall that this Government published the UK Telecoms Supply Chain Review Report in July 2019. It found that telecoms providers lack incentives to apply security best practices and recommended a new framework for the UK’s public telecoms providers that will respond to new and emerging threats to the security of our networks. The review also recommended new national security powers for the Government to control the presence of high-risk vendors in UK networks. The Bill is our response to those recommendations.

I will now outline the intent of the Bill’s clauses, which can be broadly separated into two groups. Clauses 1 to 14 introduce a stronger telecoms security framework, placing new security duties on public telecoms providers. Clauses 15 to 23 introduce new national security powers to address the risks posed by high-risk vendors.

I turn first to Clauses 1 to 14. The Bill amends the Communications Act to create a tough new telecoms security framework, which consists of three layers. First, the Bill places strengthened overarching telecoms security duties on public telecoms providers in primary legislation. Secondly, specific security requirements will be set out in secondary legislation. Thirdly, guidance on the detailed technical measures that providers could take to comply with their legal obligations will be set out in a code of practice. The new legal duties in the Bill and the measures in the secondary legislation will apply to public telecoms providers operating within the UK.

To illustrate the specific measures that providers may be expected to adopt, we published an illustrative first draft of the security framework regulations on GOV.UK in January. We have been, and continue to be, in close contact with industry following the publication of the draft regulations. Comments received as part of this engagement are being considered in the drafting of the final version. We will launch a public consultation on the draft code of practice once the Bill achieves Royal Assent. This will ensure that views from all impacted groups are heard ahead of the new framework coming into force.

The Bill provides Ofcom with a new general duty to seek to ensure that telecoms providers comply with their new security duties and builds on Ofcom’s existing security duties. Ofcom will have new powers to assess providers’ compliance. In cases of non-compliance, Ofcom will be able to issue a notification of contravention and, ultimately, financial penalties of up to 10% of turnover. Recognising that Ofcom will have expanded duties, DCMS is working with it to ensure that it has the necessary capability and capacity to deliver those vital functions. We have already increased Ofcom’s security budget for this financial year by £4.6 million to reflect its enhanced security role, in addition to its existing funding. Ofcom will also continue to work closely with the National Cyber Security Centre in the delivery of its security functions. The two organisations have published a statement, available on Ofcom’s website, which sets out how they plan to work together.

Clauses 15 to 23 introduce new national security powers to manage the risks posed by high-risk vendors in our telecoms networks. The Bill includes new powers for the Secretary of State to designate specific vendors in the interests of national security and issue directions to public communications providers. Those directions will place controls on a provider’s use of goods, services and facilities supplied by a designated vendor. Once a designated vendor direction is issued, the Secretary of State can direct Ofcom to collect information from providers and report back so that the Secretary of State can determine whether a provider is complying with a direction. Government amendments were passed in Committee in the other place to bring the powers in Clauses 15 to 23 into force immediately upon Royal Assent.

The Government have announced that UK telecoms providers should cease to install Huawei equipment in 5G networks after September 2021 and remove all Huawei 5G equipment by the end of 2027. We published an illustrative direction and designation notice in November 2020 to demonstrate how the powers in the Bill could be used in relation to Huawei in line with these announcements. Once the Bill receives Royal Assent, any proposed designated vendor directions and notices will be subject to the relevant consultation requirements set out in the Bill.

I will now turn to the delegated powers in the Bill. It contains nine delegated legislative powers to make secondary legislation and two administrative powers. Six of the delegated legislative powers are to amend the maximum penalties specified in the Bill. These are Henry VIII powers and are subject to the draft affirmative resolution procedure. A further two are powers to create regulations setting out specific measures to be taken to comply with the new security duties and are subject to the negative resolution procedure. Finally, one power is to make regulations commencing certain provisions in the Bill and is not subject to any procedure. The two administrative powers are the power to issue codes of practice and the power to give designated vendor directions to providers.

Our approach to the delegated legislative powers is in keeping with precedent. The powers to amend maximum penalties in the Bill are consistent with those in the Communications Act 2003. I appreciate the need for Parliament to have the right mechanisms to scrutinise the powers that we are taking in the Bill. I am confident that the approach we have taken finds the appropriate balance. As the House would expect, we have submitted the delegated powers memorandum to the Delegated Powers and Regulatory Reform Committee. I thank it very much for its prompt report on the memorandum, which I read with interest. The Government will consider the committee’s recommendation concerning the power to issue codes of practice about security measures and aim to respond to the report fully in due course.

To conclude, the Bill has not been designed around one company, one country or one threat. Its strength is that it will create an enduring and effective telecoms security regime that will be flexible enough to keep pace with changing technology and changing threats. I hope that noble Lords on all sides of the House will welcome it. I beg to move.