Telecommunications (Security) Bill - Second Reading

Part of the debate – in the House of Lords at 4:35 pm on 29 June 2021.

Alert me about debates like this

Photo of Baroness Merron Baroness Merron Opposition Whip (Lords), Shadow Spokesperson (Health and Social Care), Shadow Spokesperson (Digital, Culture, Media and Sport) 4:35, 29 June 2021

My Lords, new technologies have long transformed the way we work, live and travel, but our experiences during the pandemic have upped the ante on the degree to which we rely on telecommunications networks. Today we have heard an enlightening and probing debate in which noble Lords have considered the number one priority of any Government: our national security.

The risk we face is as significant as it is real. The noble and gallant Lord, Lord Stirrup, spoke with insight about the need for agility and adaptability to meet the risks that we face in a resilient manner. The most recent UK Cyber Security Breaches Survey found that 62% of information and communications companies surveyed identified breaches or attacks in just the last 12 months, compared with 46% across all sectors. Many of us have first-hand experience of these security risks, as described in the Bill’s impact assessment. The noble Lord, Lord Vaux, thoughtfully brought that reality to life by describing the horrors that so many people face, day in, day out, which will be very familiar to many of us in this House.

When O2 suffered a major network failure in 2018 due to an expired software certificate, over 32 million users in the United Kingdom had their data network go down for up to 21 hours. In 2015, hackers targeted TalkTalk, stealing the personal data of over 1 million customers. In the same year, security was undermined when internet traffic for BT customers, including a UK defence contractor that helps deliver our nuclear warhead programme, was illegally diverted to servers in Ukraine. Understandably, these incidents and many others generate deep unease and a lack of national and individual security, which the Bill must address.

We can reflect that a sector that should have been subject to rather more attention over a decade ago is now the subject of this Bill. During this period we have lacked a telecoms industrial strategy and have seen a focus on foreign investors over and above our national security. Since 2010, successive Governments have allowed the sector to be dominated by a high-risk vendor, taking us from what were golden times to the current ice age. Regrettably, competition on price rather than security has become the order of the day, while security has been left to the market.

As the impact assessment identifies, the telecoms industry provides opportunities for new and wide-ranging applications, business models and increased productivity, whereby 5G will be used for everything, from autonomous cars to remote medical examination and health monitoring. This is crucial. Clearly, we will not achieve the Government’s aim of becoming a science and tech superpower by 2030 without it.

Let us also remember that the complex UK telecoms industry contributes £32 billion to the economy and directly provides nearly a quarter of a million jobs. It is therefore important that we legislate for the Government to have the power to act to prevent dependency on high-risk vendors such as Huawei, and to recognise the blurring of the lines in the grey zone, where cyber- attacks on critical infrastructure will become, regrettably, increasingly regular.

This Bill is a necessary step and, in general, we welcome it. However, I have some words of caution, many of which chime with the themes highlighted during this debate. There cannot be a scattergun approach to security, and it is the absence of a joined-up approach that I want to pursue first. I was interested that the noble Lord, Lord Young, raised points about the number of departments that telecoms security touches and the need to resolve this interface in a co-ordinated fashion. I hope that the Minister can explain how this will be resolved and how this Bill interacts with the National Security and Investment Act, which recently passed through this House. How will the Government’s stated intention of having complementary regimes that protect telecommunications’ critical national infrastructure from national security threats be achieved?

The Government have said that the National Security and Investment Act was needed as the Tele- communications (Security) Bill does not extend to investments in the communications providers themselves or investments in other infrastructure used to provide communications. It also cannot prevent the acquisition of vendors by hostile actors. To this end, are the Government actively considering further redrafting of the communications supply chain definition, potentially listing the specific components of the supply chain that should be caught? When will we see the final sector definition for the communications sector?

Concerns have been expressed today, which I share, about what is not in the Bill as much as what is in it. The exclusion of the cross-party Intelligence and Security Committee from oversight of the measures in the proposed legislation, despite its remit in relation to national security, is baffling at best and deliberate at worst. As my noble friend Lord West so ably highlighted, this came up in the National Security and Investment Act and yet the relevant parliamentary committee is well and truly parked out of sight. It is hard not to suggest an unhealthy aversion by the Government to the committee since failing to secure the post of chair for their preferred candidate, which, if so, would be a failure of duty to do the right thing. On the matter of scrutiny, I was interested in the thoughtful considerations from the noble Earl, Lord Erroll, and I am sure these matters will be debated further.

On the continuing theme of what is missing, diversity of suppliers is needed at different points of the chain with sufficient support for the UK’s own start-ups. However, the Bill does not even mention supply chain diversification or the diversification strategy, even though we all agree that we cannot have a robust and secure network with only two service providers, which is the number that we will have left once Huawei is removed from our networks. Support for Britain’s start-ups is needed to deliver this diversity, but the Government’s investment of £250 million will surely not be enough. As the Science and Technology Committee has called for, will the Government produce an action plan with clear targets and timeframes for how that funding will be spent?

This Bill provides a vast and continuing expansion of Ofcom’s remit. It also gives the regulator sweeping new powers and responsibilities. However, Ofcom lacks experience in national security. These changes will demand the recruitment of people with specialist skills and the required level of security clearance. How will this be handled? The impact assessment states that the cost of monitoring compliance for Ofcom is up to £49.4 million from now up to 2029. Can the Minister assure the House that Ofcom will have the relevant resources?

The security of our telecoms network sits firmly within an international context, as my noble friend Lord Maxton said. As the impact assessment states:

“The most significant cyber threat to the UK telecoms sector comes from states. The UK Government has publicly attributed malicious cyber activity against the UK to Russia and China as well as North Korea and Iranian actors”.

This concern is clearly shared with our key allies, as confirmed in the recent NATO summit’s communiqué.

This Bill was published in November—before the integrated review of security, defence, development and foreign policy had concluded. The review states:

“Under the provisions of the Telecommunications (Security) Bill, supported by the 5G supply chain diversification strategy, we will … work with partners, including the Five Eyes, to create a more diverse and competitive supply base for telecoms networks.”

Can the Minister advise how this work is proceeding? How many companies in our supply chain sector have Russian or Chinese owners?

The noble Lord, Lord Alton, made a powerful intervention, echoed by other noble Lords, about the need for due diligence in respect of human rights—something that has been of great and continuing concern to this House. The continuing persecution of the Uighur Muslims and their plight shames the world. I am sure that the Minister will wish to reflect on this matter.

In the course of this debate, your Lordships have heard much about Huawei being the perfect illustration of why this Bill is needed. We support the action to protect the UK from the threats presented by this high-risk vendor that has huge strategic significance. As a Chinese company it could, under China’s national intelligence law of 2017, be ordered to act in a way that is harmful to the UK, and the Government state that,

“the Chinese State (and associated actors) have carried out and will continue to carry out cyber attacks against the UK and our interests”.

Despite this clarity, the telecoms supply chain review of 2018 recommended that Huawei equipment should be removed only from the sensitive part of the core network and could still make up a maximum of 35% of the non-core systems with a deadline of 2023.

In 2020, UK telecoms companies were latterly told by the Government that they would be banned from buying Huawei’s 5G equipment from January 2021 and that the Government want complete removal of Huawei equipment from our 5G networks no later than 2027—as we have heard, at a cost of £2 billion and a delay to 5G rollout by two to three years. Can the Minister indicate how the UK is going to benefit from the costly debacle of ripping out Huawei?

On spreading the risk, the Government’s vendor diversity task force said that the UK must ensure that smaller telecoms equipment makers become key suppliers of Britain’s 5G mobile phone networks once kit from Huawei is stripped out of the infrastructure. It said that smaller equipment manufacturers should provide 25% of the kit used in 5G networks. Have the Government accepted this target? We cannot end up in a similar situation again as we saw with Huawei.

This Bill must be future-proofed and provide for a horizon-scanning function to identify emerging threats and potential weaknesses in UK telecoms providers’ asset registers. We will be seeking amendments to the Bill that fill in the many missing gaps and will work across all parties to do so. As I have said, it is as much about the glaring omissions as it is about what the Bill contains. The UK cannot end up in another costly security debacle as we did with Huawei. The Government need to look to the future rather than letting it continue to overtake us. Let us hope that this Bill can do that job.