Telecommunications (Security) Bill - Second Reading

Part of the debate – in the House of Lords at 2:45 pm on 29 June 2021.

Alert me about debates like this

Photo of Lord Stirrup Lord Stirrup Crossbench 2:45, 29 June 2021

My Lords, I welcome this Bill. It is not only necessary, it is also overdue, but it is just one step on a path along which we have much further to go. By itself the Bill will have only a limited impact. If we are to realise its benefits, we need to think about the wider questions it leaves unanswered. Addressing these questions is crucial to our future safety and prosperity.

Throughout history, technological advances have brought with them exciting new opportunities, but they have also introduced serious vulnerabilities. Meanwhile, as our society has grown more complex, interconnected and interdependent, so its ability to weather shocks has grown more fragile—to the point now that serious technological disruptions could have catastrophic consequences. This should not be taken as an argument against embracing technology and the benefits it confers. It should, though, make us think very seriously about the new vulnerabilities we create and how we might mitigate the associated risks.

The Bill goes some way towards meeting that responsibility, but it does not provide the whole answer. As the title of the Bill tells us, the issue we confront is one of security, but we have to ask ourselves what exactly we mean by that term. In my view, we do not mean invulnerability. We should certainly seek to defend critical areas such as our telecommunications from attack, but a defender always has certain disadvantages. The choice of when, where and how to attack lies with the assailant and the defender is, at least at first, on the back foot. This problem is particularly acute when the space or activities to be defended are widely spread, as with our telecommunications network. We cannot therefore assume that an attack will fail, no matter how well we prepare. Quite the opposite: we have to assume at least a degree of success. So, the security of our national telecommunications infrastructure becomes a question less of how to prevent attacks entirely and more of how well we can absorb and recover from them.

In its first report of May last year, the National Infrastructure Commission acknowledged as much and recommended an architecture which can “anticipate” challenges, “resist, absorb” and “recover” from attacks and adapt accordingly. It calls on the Government to set “resilience standards”, appoint regulators to “oversee regular stress testing” and require that:

“Infrastructure operators produce long term resilience strategies”.

Can the Minister tell the House what progress has been made in implementing these recommendations?

All of this seems to throw up two different categories of question: what policies and actions would best protect our infrastructure from attack and achieve the necessary resilience, and how do we provide appropriately rapid assessments and directions to counter the effects of such attacks?

On the first point, at which this Bill is aimed, the Huawei experience would seem to suggest restricting the provision of parts of our infrastructure to trusted suppliers and operators, but who are they and how are they to be engaged? They cannot be drawn solely from the ranks of “British” companies—whatever that means in today’s globalised business environment—since we do not have the mass, the spread or the technologies within our economy to meet all our own needs. It is certainly possible to identify less risky 5G suppliers than Huawei, but not ones that are risk free.

Even where we do have a national capability to provide and operate parts of our infrastructure, problems remain. Are the Government to identify such national champions in selected areas of business? This may be necessary in some very restricted areas, but such dirigisme has a poor track record in the UK for two principal reasons. First, the Government are not very good at identifying winners. Secondly, in order to remain in business, such champions need a regular drumbeat of UK orders, which, in turn, stifles competition and efficiency. There are many salutary examples of this in the history of defence procurement.

A more productive approach might be to decrease reliance on one or even a few suppliers and thus build a degree of redundancy into the most critical parts of our infrastructure. This would not be the cheapest solution, at least in the short term, but the level of insurance that it provides might be well worth paying for. The Government need to develop an approach that balances cost, risks and resilience—that constantly monitors and rebalances this equation in the context of our complex and dynamic world.

This requirement, alongside the observation that some of our judgments will inevitably prove to be wrong, and in the expectation that some attacks will succeed, at least in part, brings me to my final point. Things move quickly in the world of technology, and they will move even faster during a determined attack on our telecommunications infrastructure. If we are to respond successfully, if we are to absorb the first blow, recover from it and reshape ourselves for the future, we will need two things: agility and adaptability. Agility in this sense is our ability to respond quickly to those things we did not or could not foresee—to change our systems, plans and, indeed, our thinking on the fly to check and outmanoeuvre our opponents. Our resilience and ability to recover will depend on this. Adaptability, by contrast, is about our ability to change our longer-term posture in the light of emerging threats and opportunities and to learn from both failure and success. Agility keeps us in the fight and helps us master immediate challenges. Adaptability maintains our readiness in a changing world.

Provision of these crucial attributes cannot be left to the individual service providers, but neither can they be delivered by the Government or by a regulatory body such as Ofcom. Those organisations can and should formulate policies, allocate resources and check compliance, but we also need a much more flexible arrangement to provide effective command and control of both our detailed preparations for, and our response to, attacks. Perhaps there is a role here for an expanded National Cyber Security Centre. So, while I welcome and support this necessary Bill, I urge the Government to view it as just one stage of a much longer journey. It is a good plan, but like all plans it will not survive first contact with the enemy. If we are safely to reap the benefits of new technologies, we need ways not just of regulating them but of dealing swiftly and competently with the dangers presented by their malign exploitation. This Bill goes only so far; we need to go much further.