Stefano Cantarelli, John Baker, Pardeep Kohli and Chris Jackson gave evidence.

We are now going to hear from Stefano Cantarelli, global chief marketing officer, John Baker, head of RAN business development, and Pardeep Kohli, chief executive officer, of Mavenir. Joining them is Chris Jackson, president and chief executive officer of NEC Europe Ltd. We will use the same format as last time, although if you want to direct your question to a specific witness, that might be helpful. We have until 3.30 pm for this session. I ask the witnesses to introduce themselves.

Stefano Cantarelli:

Good afternoon everybody. My name is Stefano Cantarelli. I am the chief marketing officer for Mavenir. I have spent the last 30 years of my life in telecommunications, of which 20 years have been in the UK, in both fixed and mobile networks.

John Baker:

Good afternoon. I head up business development for Mavenir. I was instrumental in setting up the UK industry back in the ’80s for manufacturing and R&D for Nokia, and with Vodafone and Orbitel. I have long experience in the industry and I have been leading the open RAN initiatives from the US globally. I am a member of the open RAN policy coalition board.

Pardeep Kohli:

I am Pardeep Kohli, President and Chief Executive Officer of Mavenir. I have been with the company since 2005. The company is over 20 years old and employs about 4,500 people. We have a good presence in the UK. We have been providing software for telecoms applications to UK operators for over 20 years. All operators use our software today for making phone calls, sending messages and voicemail. We started working on open RAN five years ago and now we have deployment in the UK, which has been provided in the test sites. We are building networks in other parts of the world as well, based on open RAN.

Chris Jackson:

Good afternoon. I am Chris Jackson, CEO of NEC Europe. I have worked for NEC for 12 years. I took on the role of CEO for Europe on 1 April last year. In terms of my opening statement, I fully support the principles of the Bill. It has been well constructed. The additional powers that the Government and Ofcom now have are much more wide-ranging, and we absolutely support that. We very much promote the vendor diversification strategy, and we are supportive of the aims and objectives behind it.

Who wants to go first? It looks like it is Mr Johnston. Can I just ask you to say which of the witnesses you are directing your question to?

Yes, although I was going to ask them who they think is best to answer it.

There is always one.

Q We asked the previous witnesses this question. When it comes to stringency on these issues, do any of you feel able to give us a sense of the international comparison between the regime that this Bill creates and regimes around the world?

John Baker:

Perhaps I could take that one. This is falling in line with what is going on globally. We see initiatives coming from Spain, the EU and the US. The US is further ahead in terms of passing law on trusted suppliers, and it is now setting timelines and budgets for taking suppliers out of the network. That rip-and-replace programme is now under way. The money for that was approved in December, and operators are looking at open RAN as solutions for that. That is very similar to the activities that you are planning through this Bill in the UK.

Chris Jackson:

What we have seen in Japan is strong support for this direction, but I think the UK Government have taken the lead in terms of putting forward an aggressive stance on this to ensure that the security of the country is protected. The UK is doing everything that we would expect it to, and we fully support that.

Stefano Cantarelli:

Some of the things said about the diversification of the supply chain are particularly important in terms of the ability to create competition and, as such, innovation. The interoperability of interfaces is fundamental in order to boost data and to be able to create more competition. We strongly believe that competition is based in innovation, and innovation these days can create a very powerful cycle of technology. It is not like how it was in the old days when it took maybe a year, two years or three years to get things into deployment; today, in less than a year a trial can become a commercial deployment.

Pardeep Kohli:

I agree with the other gentlemen. In a number of countries, operators have made the decision that, going forward, they will only buy open RAN-based solutions. Governments are supporting that in many parts of the world.

Q This question is to whoever wants to pick it up. The debate in the UK on Huawei has been around hardware, and clearly open RAN is the future. Can you give an indication of two things? First, what are the timescales for its development and deployment? Secondly, because we have got operators currently taking out Huawei kit and putting in Ericsson or Nokia kit, how do you incentivise those companies to take the open RAN approach in terms of developing a market for that product? Where are we at internationally on open RAN compared with other countries?

Pardeep Kohli:

Let me start. You are right that until now it was all about hardware, because people were building proprietary hardware to supply radio products. When you do hardware-based solutions, the scale matters, because you need logistics, manufacturing capability and factories, and obviously Huawei, Ericsson and Nokia had a strong base and the logistics set up.

When you do open RAN, it is more software leaning on general-purpose hardware. Companies like us do not need manufacturing plants any more because we are only providing software, and we have the advantage that our software can run on a private cloud that an operator can build on, for example, standard Dell servers—there are plenty of them, and people can build those—or we can run it on a public cloud on Amazon or Google. If you look at the scale that Google, Amazon and Azure have, Huawei is nowhere close to their scale. In that sense, the whole matter of Huawei’s scale does not matter at all the moment you move a hardware problem to a software problem.

The same thing happens with logistics and people. For us, hardware-based solutions need people to carry the hardware around, bolt it and everything. For software, with the click of a button you can distribute it to 2,000 sites; you do not need people and logistics to drive hardware around. This is how with what we are doing—for example, we are working with Dish to build a nationwide network, and we will have 50,000 sites deployed in less than two years—not that many people are required to do all this, because the problem has moved from hardware to software.

We would like the Government and other people to understand that there is no way any company can beat Huawei with the presence it has in China alone if they take on the problem as a hardware problem. It must be converted into a software problem—that is the only way it can be solved.

On your question about how we convince operators, it is always on the point about proof. We are a 20-year-old company working with operators all over the world. We handle 60% of the world’s operators’ messaging. If you look at SMS, for example, we carry that traffic for all the operators in the UK, and voice calling. We already do more critical services: radio is important, of course, because of the connectivity, but operators are relying on us for the day-to-day services. Now we are working with them to prove that our software is as good or better than what they can get on from the incumbents. Of course, we are expecting them to participate in the journey and work with us so that we can prove to them that we are good. We have done that in all other layers of the software, so we feel that if somebody engages with us, within six to nine months we will prove to them that we are good and it works.

That is working; in terms of the whole idea that the technology does not exist, we have crossed that hurdle. Now it is more about, “Okay, does it work for this use case or that use case?”, or, “In my network, I may have some proprietary stuff I have done with existing vendors, and I want you to do that as well.” So it may take six to nine months, or even 12 months, to get there, but I think we are beyond the point where we need to prove that it works. We know it works.

Q Which country in the world is at the forefront of open RAN deployment?

Pardeep Kohli:

If you look at investments, because of Dish, the US is making the most investments; the Government have now surpassed $1.9 billion on rip-and-replace to replace Huawei equipment, so that will create an ecosystem. In Japan, with Rakuten, they are building a whole nationwide network based on open RAN. We have seen Deutsche Telekom, for example, announce in Germany that it is building an ORAN town, so it will have a whole city that will have only ORAN components in a due timeframe. We have systems applied now in Sri Lanka, in India and in Malaysia. A lot of countries are looking at the economics: obviously, volume makes the numbers different, and with higher volume you will improve the economics further, but if you include the opex cost as well to go along with the capex cost, there is no way to compare what you can get with this technology compared with the legacy one.

I am just conscious of time; do any of the other witnesses have anything they want to add to what we have heard from Mr Kohli?

John Baker:

I would just like to add that Vodafone has been very much in the lead with the development of open RAN solutions. We have been engaging with Vodafone for three and a half years in test labs and specifying the technology, and so on. The UK has been very much part of bringing this technology forward, as well as BT with the Telecom Infra Project labs.

Chris Jackson:

Coming back to your question, I would not like to speculate as to how long it would take for open RAN to become standardised and commonplace within the UK. The Government are setting up a national telecoms lab and SONIC. There are a number of companies like ourselves, NEC, who have just set up our 5G global centre of excellence here in the UK, and the operators have all set up laboratories. If we can start to encourage and bring all those parties together, that is the key to accelerating the technology.

Incentives definitely play a part in this; to comment on Japan for a moment, I know the Japanese Government have incentivised companies to embrace open RAN, and that might well explain why companies such as Rakuten and NTT DOCOMO have been very successful in launching the technology. That proves it can be done and shows that where there is a willingness, there is a way, but if we can drive all those different parties coming together, that is how we will get traction.

Stefano Cantarelli:

I just want to say quickly that we are part of some of the initiatives Chris has mentioned, such as SONIC with DCMS and so on, and we think they are particularly useful to give visibility on the status of open RAN. My last comment is about the hardware; I heard a few comments this morning, and I want to underline that hardware is still quite a profitable business. If we look at what happened to IT servers in the IT industry, there are companies that are much more than profitable in those spaces. Commoditisation of a hardware does not mean that there is no profitable business behind it.

Thank you. I am going to Mr Sunderland. I will come back to you if you want to come back later.

Q I note from the briefing notes that I have here just how much global experience Mavenir has, and that perhaps sets you gentlemen apart from the previous witnesses. Could I therefore ask you this, please? Is there anything, in your experience in this field—particularly, perhaps, in America and the far east—that may require to be better reflected in the legislation?

Is this question for all the witnesses?

Yes, please.

Who do you want to go first?

Mr Baker is the obvious candidate.

John Baker:

I think the legislation, as you have it written, is good and supportive. The underlying thread of this is all about open interfaces. Having open interfaces fully specified makes the ability for testing of elements in the network simpler and easier, because you open up the testing community, the vendors, to produce interoperable equipment, so you can compare equipment side by side. This has been the basis of the whole open RAN discussion. Open RAN is about open and interoperable interfaces. If you follow that philosophy through into this Bill, you should be able to test each of the elements and the network end to end, from a security perspective, so we are fully supportive of the activities that you have in place.

Anyone else?

Stefano Cantarelli:

I will just add that of course, when we say “open interfaces” and “open and interoperable”, “open” means standardised and well known, not open in the sense of open sources or whatever else people can think of. As far as the Bill is concerned, I believe that it is quite appropriate for the specific actions and conditions that will be triggered. I would just suggest that you make sure that it is followed up by secondary legislation to make sure that in some cases there are very tangible and specific examples that will be able to make it a bit more specific and will give directions within the framework that the Bill itself provides.

What about Mr Jackson or Mr Kohli? Do you have anything to add to that?

Pardeep Kohli:

I was about to read something to you about the example offered by the Government of Japan. I am just reading the wording of the document. It says:

“The Government of Japan cites the need for equipment to be interoperable, based on open architecture, and utilize international standards to be certified. MNOs and private network owners are eligible for tax benefits, which include the following…Tax deductions of 15% or special depreciation of 30%... Fixed property tax exemption of 50% for 3 years”.

That is how the Government of Japan have passed the law.

Chris Jackson:

I have nothing further to add to what Pardeep has just said. He has succinctly put basically what we need to do.

Do we have any Catherine West questions in this round?

Catherine is always interested to understand what international comparisons there are, but I think that that has already been addressed, so thank you; she will be grateful to you.

In that case, let us go to Miriam Cates, please.

Q This is a question for Chris from NEC. I think that you have partially answered it already, so do not feel that you have to repeat what has already been said. It appears to me that, if the open RAN trial is successful and the open RAN technology is adopted, it has the potential to significantly disrupt the telecoms market in a way similar to how APIs have disrupted the software market. First, how do you think that it will change the shape of the industry over the medium to long term? And secondly, what experience and capabilities does NEC have that give you the confidence that you will be able to run this trial and it will be successful?

Chris Jackson:

First of all, the answer is yes in terms of, “Do I think it is a game changer?” Absolutely. You only have to look at what happened in the IT industry to see what open standards have done for that, so I absolutely think it is the right thing to do and we very much support it.

In terms of NEC’s capability, if you look at the work that we have done with Rakuten and NTT DOCOMO in Japan, we have shown that we have proven experience and open RAN capabilities. We also have a long history of R&D capability, and we have the capability on the ground now, with the launch of the global open RAN centre of excellence, to take that development further forward in the UK. Those are the main reasons I think the NEC is well placed to take advantage.

A final point that I would make is that, one of the things that we are going to see, which we would want to see, is a lot of smaller companies coming into this marketplace. That is very healthy, and they would certainly play an important part in driving innovation. There is also definitely a need for large companies with strong balance sheets, and NEC certainly ticks that box.

Q Do any of the rest of you have anything to add to that?

John Baker:

Yes, I will jump in. Mavenir is heavily invested in the UK as well. We have addressed the 2G, 3G, 4G solution with the recent acquisition of ip.access in Cambridge. We are building up a significant open RAN solution centre in the UK and we have made several press announcements about that.

In terms of hardware versus software, we have demonstrated that with some of the networks that we have deployed, such as T-Mobile in the US, which has 150 million subscribers essentially running on disaggregated software and hardware platforms. That demonstrates that you can build secure, reliable mobile networks with a software architecture. That is the way of the future. Obviously, that now has to fit into the cycles of deployment and rip and replace that the various carriers have.

Who is next? If there are no pressing answers, I will go to the shadow Minister.

Q Thank you for joining us today. Having read your bios, I am impressed by the breadth, geographic as well as technical and operational, of your experience. To make this concrete for me and others, let us say we had a new mobile network operator in the UK tomorrow. Could you—I will ask someone to answer on behalf of Mavenir and someone on behalf of NEC—provide a 2G, 3G, 4G, 5G network tomorrow, or in 12 months? As a software network, what physical boxes or hardware would it be running on? As part of that, what UK or other providers would be in your supply chain?

Pardeep Kohli:

Maybe I can take that. To answer your question, if there is a greenfield operator in the UK that is similar to Dish, which we are working with in the US, we can definitely provide that. Dish, for example, is doing only 5G, but we obviously look at requirements all over the world and we appreciate that, in certain parts of the world, there is still a lot of 2G and 3G presence, and, of course, 4G will be there for a long time. We have a solution that can handle 2G, 3G, 4G, 5G, and if you are talking about a 12-month window, we can definitely provide a complete greenfield solution for those four technologies.

Regarding the hardware aspect, everything other than the real radio that goes on the tower and does the transmitting and receiving is largely general computing open silicon—

Sorry—say that again. I could not hear that. What is the rest of it?

Pardeep Kohli:

It is general-purpose open compute; it is already available hardware.

It is computing—it is processors.

Pardeep Kohli:

That is correct. You get processors for CPU or general-purpose computing, or even if there are some accelerators, which we use for some specific algorithms, even though they are openly available from companies like Xilinx and Nvidia. They make those chips and we can use them to do some of the functions; but they are openly available, and you can buy that today. That is what carriers are doing. They are building the new networks.

Regarding the hardware that goes on the tower, that depends on the frequency band you allocate, so if there is an operator coming in that is on a frequency band that the existing operators do not have, whoever the vendor is would have to build those radios anyway, and it takes about nine to 12 months to build those.

Q Who builds the radios?

Pardeep Kohli:

Today, because it has always been proprietary solutions, that is where the challenge comes for companies like us, because it is demand and supply. Until open RAN came in, you really could not build this channel on radio, because there was no demand for it. So today the radios get built only by companies like Huawei, Ericsson, Nokia—I know NEC is building a few of them; but now, with open RAN, there are new players coming up. NEC, for example, is building radios outside of the Japan market. Fujitsu has now started building radios. We are actually building some radios ourselves for the frequency bands that are not available from our partners, so if NEC has a radio we use the NEC radio, but if it does not have a radio and Fujitsu does not have a radio and if you want to get into that market, we start building some of those radios ourselves. So we actually have, now, opened a centre in the UK, to build some of those radios, and we are working with Facebook and together we are building some of the radios for a frequency band not currently open.

Q So you couldn’t provide a network tomorrow, but you could provide a network in how long—a 2, 3, 4 or 5G network?

Pardeep Kohli:

So if the frequency band radios are available today, which are right, then we can actually build it in 12 months—the complete network; but if the bands are not available and we have to build those radios then, maybe, by the end of next year.

Q And NEC?

Chris Jackson:

Just to add to what Pardeep has been saying, I think open RAN is not about, necessarily, any one company providing an all-encompassing solution. So at the moment, for NEC, we would provide 4G and 5G radios, but in terms of 2G and 3G we will work with our partners to provide that solution, so we would leverage third parties in order to provide that all-encompassing solution. I think that is the way that open RAN will work moving forward. As I say, you will not see any one company dominating one particular area. It is about bringing best of breed together. In terms of the actual hardware platform, in terms of 4G and 5G, NEC will provide that radio, but as I mentioned for 2G and 3G we would look to other vendors to provide.

Q And who are those other vendors? Are they UK, Europe or US-based?

Chris Jackson:

The majority would be US-based now, but again, we are not restricted to that. As a systems integrator, which is what you will basically need, moving forward, we would work with whichever vendors were the best of breed for that particular scenario.

Q You seem to be saying, then, that you are in a position to compete with Nokia and Ericsson as of today. Is that what you are saying?

Chris Jackson:

We would not compete with Nokia and Ericsson in terms of standard RAN, but the whole idea is that we would look to bring open RAN technology. That is the direction that NEC is supporting. If you ask me whether we could step in today and provide that capability, we believe yes, we could.

Q Again, I thank both NEC and Mavenir for the productive conversations that we have had already about getting involved in UK networks. Obviously, one of the things that was in the diversification strategy is the project with NEC—the NeutrORAN project that we have talked about a little bit today already; and I hope we could do, if possible, something similar in the future with Mavenir. What is striking about the NEC project—it is genuinely significant for UK networks —is that it is a £1.6 million initial jolt of funding. First, Chris—but I am very interested in Mavenir’s perspective as well—will you say a little about how Government can best target the funding? One of the things that we learnt in our previous discussions with you was that this is not solely about the scale of the funding but about the targeting, the way in which we do it and how we get the best value for taxpayers. Chris, will you say a little about that, then we can hear from Mavenir about what the equivalent sort of things might be?

Chris Jackson:

First of all, thank you very much indeed, Minister, for support in that particular trial. We believe that this is very important, because it has given us the opportunity to showcase 4G and 5G open RAN capability with multi vendors, and we are doing it in supporting the share of your network, which we know is an important KPI for the UK Government, in terms of increasing that capability across the UK. They want to ensure that the investment is targeted at areas within the UK—where the UK will receive the most benefit—and, more importantly, or as importantly, an opportunity for a trial that brings multiple companies together. So, although NEC is leading this particular trial, we are working with a number of other companies to bring this overall solution together. That is exactly what open RAN is trying to embrace, and that is the way forward. We would be delighted to work with Mavenir; we are already involved with Mavenir as well. That is not a hurdle or obstacle for us.

Stefano Cantarelli:

There are several angles. The first one is the neutral hosting. I would like to draw attention to the fact that we have already done work with British Telecom, two years back, on neutral hosting, so that has now been talked about for a long time. Also, you might have noticed in the market that companies—the one that comes to mind is Vilicom—have been doing this type of thing, where they deploy Mavenir infrastructure to provide neutral hosting capabilities. So, we are fully supportive and believe that this kind of funding is particularly important.

We understand that that there is some interesting funding. We are in discussion with DCMS. We are discussing some projects that we believe will boost a lot of the innovation in this space. For example, we are trying to get funding for our R&D activities for open source software that could boost the availability of radio units. We say that the radio unit is hardware, but in reality there is of course a bit of software on top. This type of software, which is mainly interfaced towards the rest of the software and the control of the operation and maintenance activities, is not differentiated for each radio unit; it is just standard. By having an open source like that, you can fundamentally get the radio vendors to focus on their IPR for analogue development and being able to produce a radio unit with different frequencies, as Pardeep said before, which we believe could boost the market. That type of funding is particularly useful, because it is aimed at boosting the market and giving availability in the open RAN of these radio units.

I would also like to add that most of the frequencies that are used today in the UK are available in our view for open RAN, so I do not see that as a problem. But that type of investment is particularly important—in R&D—so the trial that you have funded in the first round of the 5G Create programmes is particularly useful to get learning and experience. As I said, in the SONIC, we are particularly active, although that is not a 5G Create programme but a different one. We believe that in the second round, you can focus on funding some R&D specifically to boost the ecosystem of the open RAN.

Q Finally, would you agree that there are plenty of opportunities for us to use those trials and test beds to boost British companies, particularly in software, around open RAN? That is probably where British firms are likely to focus, at least in the first instance, rather than hardware.

Stefano Cantarelli:

First, remember that, as John mentioned, we acquired ip.access, which is a British company that has been in hardware for some time, so there is still space for hardware as well. Software is definitely where the majority of the innovations are. That is particularly clear—Chris mentioned this—in the IT space, where they moved from generic servers. I want to reinstate that, with servers generically available everywhere. The whole thing has really flipped on to different software. That will definitely boost the ability of a lot of companies to bring innovation.

As we always repeat, competition means innovation, and innovation is the only way. Many years ago, I was part of Vodafone. I built the 3G network for Vodafone in the UK, and at that time I had only one supplier in my network—I will not say who. I introduced another one, and it was only then that the other suppliers started to be active. Some legacy suppliers—I would say most of them—start to sit down and lie back if they are the only one in the network, because there is no motivation. From my experience from all these 30 years, that component is so important.

Thank you.

Q I wholeheartedly agree with that last comment about the importance of competition, particularly in the supply chain. That is my experience as well, in terms of building out networks. I am just struggling to understand why Vodafone, Three and O2 said earlier that there were only two full-service suppliers in the UK, when Mavenir is saying to me that you could supply a 2G, 3G, 4G or 5G network within a year. I am struggling to understand how that works. Is it a question of the network operators not being prepared to commission you? Is it an issue of price, complexity or management? Why are you not considered a full supplier by the existing network operators in the UK?

Stefano Cantarelli:

Let me just address that initially before anyone else. We are a supplier in other places in the network, so they consider us a reliable supplier. We supply voice services, messaging services and everything else. You mentioned the initial deployment of open RAN by Vodafone this morning. That relates to us, because we are the supplier that it has deployed and is continuing to deploy. We are actually deploying sites for it.

I think that you have to look at two aspects when you are on an operator’s side. I am speaking from experience. It is not just about the technology; it is also about your processes and how you are able to move forward and change your mindset. I think that operators have a lot of complexity. We sympathise with them, of course—it is not an easy environment—but there are a couple of mindsets that they need to over-pass, if you let me use that word.

First, the world is changing. It is not hardware and software together; it is software and hardware disaggregated, and that of course requires some different capabilities. It is the same as when we passed from circuit voice to packet voice. Some people here may not get the example completely, but it is just a different point of view. That does not mean that it is more complex or whatever; it is just a different point of view, and you need to change. We know that change is not an easy thing. That is the first aspect that we need to take into consideration.

The second aspect is that, despite the technology that is available, you still need to consider the in-life service that you need to swap over. You have to consider that you did some planning or design based on certain principles that were available before, and you need to rethink how you are going to do that. For example, most of the 5G deployed today just uses additional frequencies on the existing sites that they have deployed with 4G, 3G and 2G. This is not what I consider full 5G, with all the characteristics of low latencies and so on. You need to start to think about the densification of sites. The Government can help a lot—with policies, by helping to define new capabilities, and by allowing the operators to change their architecture by enabling them to get more sites, and get permits more easily to build new sites.

These sites will not be like sites today; on these sites, there will be lot of carriers, a lot of technologies, and a lot of frequencies. As Pardeep said, a site today is probably just a radio unit that connects, through an internet connection—not necessarily just fibre—to a software data centre. These things are more important, and they are the reason why, although operators are in the middle of that transformation, it is taking a bit of time.

Q That is very helpful. I think you said that a site would connect not with fibre, but with something else.

Stefano Cantarelli:

Not only with fibre. The open RAN interface is such that you are not forced to use fibre only. You can also use internet connectivity. The internet is what you use when you are in a building.

Q That is really helpful. What you are saying is that although you could deliver a full-service 2G, 3G, 4G or 5G network tomorrow, that is not what our mobile operators want. They want an incremental improvement from what they have to what they need to provide services. The cost is a real issue. The transition from 4G to 5G/open RAN is part of the challenge, and we need to understand better how the Government can support that. You talked about making it easier to roll out new open RAN sites. I am interested to know whether there are other ways in which the Government could support that.

Stefano Cantarelli:

I add that this transformation in the core infrastructure has already almost happened. Already, most of the core infrastructure of the MNOs is running on general-purpose hardware, such as Dell servers and so on, with software on top of it. The RAN is really the last one to be transformed, for the reason that I gave, and also because, as I said, the market has been dominated by some suppliers who have been providing hardware and software, because they work with better interfaces between the radio access component.

Thank you. That is very helpful. That makes me think that there are security issues arising from, for example, having our cloud infrastructure dominated by one vendor, such as Amazon Web Services. Those are perhaps future security issues that we need to look at. I now understand much better what you need to support your transition, so thank you very much for that.

Q Do any of the witnesses have any final points that they want to make?

Pardeep Kohli:

I would just add that I understand the operators’ point of view as well. They are familiar with these vendors; they have been using them and they understand their processes. The vendors know each other. Obviously, we have to gain their trust. We spend over $300 million on research and development every year on open RAN, so we are fully committed, and we will seek any help that you can provide on engaging with operators in the UK market.

Chris Jackson:

Can I come in on the NEC side of things?  Frankly speaking, we are re-entering this market, and one of the reasons why is because we believe that open RAN, and particularly the Bill, now provides the framework and conditions to enable us to compete. It is probably similar for the operators; it is a change for them to actively work with companies such as NEC, as opposed to the companies they have previously been working with, but we are starting that process. We are actively engaged with the operators, and more support from the Government, through the Bill, is the way to move this forward.

John Baker:

One last comment. Open RAN is all-inclusive, so this is not excluding the incumbents of the network. As soon as Nokia and Ericsson add open RAN interfaces to their products, we will be very happy to work with those guys. That will speed up the ability to deliver open RAN solutions in the marketplace.

If there are no further questions, it remains for me to thank all our witnesses. We are extremely grateful to you.

Sitting suspended.

Examination of Witnesses

Julius Robson and Dr Louise Bennett gave evidence.

We will now hear from Julius Robson, who is the chief strategy officer of the Small Cell Forum, and Dr Louise Bennett, who is the director of the Digital Policy Alliance, and we have until 4.15 pm for this session. May I ask the witnesses to introduce themselves for the record? Julius, could we start with you?

Julius Robson:

I am Julius Robson, the chief strategy officer for the Small Cell Forum. We are a global organisation of component, equipment and service providers, all working to make mobile infrastructure more accessible to public and private sector organisations of all sizes. We see diversity as being really essential if we are to deliver on the promise of 5G connecting cities and communities, and to provide smart industry and the internet of things.

We welcome the publication at the same time of the Bill and the 5G diversification strategy; it is really important to consider both together, so that we can arrive at the best of both worlds. Two angles have not really been represented to the Committee so far, but are important to diversification. To fuel open RAN, we need chipsets for base stations. We also need to think about diversification at service provider level, so that in addition to mobile operators there are other service providers, particularly neutral hosts and private networks, which can help with this diversification agenda. Those are the topics of which I would like the Committee to be aware.

Thank you. Dr Bennett?

Dr Bennett:

I am Louise Bennett, and I have worked in computers all my career, with a focus on security and risk management. I am attending as a director of the Digital Policy Alliance. The DPA is an independent, not-for-profit membership organisation that alerts parliamentarians and policy makers to the potential impacts, implications and unintended consequences of policies associated with online and digital technologies. I am very grateful to have been asked to give evidence.

DPA is broadly supportive of the intentions of the Bill, because it baselines the security measures required by law in the UK telecoms network, and anything that encourages security to be top of mind for vendors in multiple supply chains is a very good idea.

There are four areas that are absolutely key to telecoms security and on which I hope to answer questions in this sitting. The first is the security of network architecture. The Bill really focuses on this, but in our opinion it does not cover everything adequately. The second is the security of data—both data about the network and data going across the network. The latter is covered to quite a large extent, but the former, which I would characterise as begin about the network asset database, is not adequately covered, and if it is not properly covered, I do not think that you will succeed in your intentions.

The third area is the processes for maintaining, over time, the security needed time—that is not adequately covered, either—and appropriate scrutiny of how that is done. The fourth area is operational costs and other impacts of compliance, which I do not think have been fully considered.

Thank you very much. Okay, who wants to go first?

Dr Bennett:

I am happy to go first.

I think it is possibly better if I get one of the Members to put a question to you first. David.

Q That was a helpful teaser of what you think about this legislation. Could you expand on exactly why you have that view on what you see as the inadequacies?

I think that is primarily to Dr Bennett.

Dr Bennett:

It is because I care very much about you succeeding with this. I think everyone in the telecoms industry wants your intentions to be met, but we have to remember that when it comes to something as complex as security in the UK telecoms network, even if everyone follows best practice, it is a question of not if there will be a security breach, but when, and how quickly you can mitigate it. The reason is that our communications network has grown like Topsy. It has multiple digital infrastructures sitting on a lot of legacy systems, including analogue systems and copper. It is a very complex system of systems, with multiple, ill-defined interfaces and literally billions of end points, many of which have no security at all; the internet of things is an example.

The question is how you can minimise the likelihood of breaches. To do that in this very complex situation, you need a balance between light-touch regulation, which Ofcom seems to prefer, particularly with tier 3 suppliers, and the absolute need for security. Looking at our absolute need for security and the recent SolarWinds compromise, the inclusion of SolarWinds Orion products in networks was considered by everyone to be perfectly sensible. It was a trusted supplier. However, the latest things that I have seen say that thousands of networks have been compromised by that. As it seems to have been a spying attack, only about 10 networks are known to have been breached, but it will take months for all of those networks to be secured, and there are other potential breaches. The NCSC recently put out a note about that to all end users.

That is typical of the kind of things we will face. If we want an infrastructure that can cope with that, we need to do a lot of things. There needs to be a very honest and open dialogue between all the telecoms suppliers, their supply chains, their subcontractors, the Government, Ofcom and other agencies.

Q I will interrupt you there for a second, but I will come back to you. Mr Robson, do you have anything you want to add?

Julius Robson:

Security is about resilience, and it is not a question of whether something will go wrong; it is a question of when. When we realise that one of our vendors is high-risk, will it take seven years to fix that problem? That is not a healthy place for our industry to be in. We want a rich diversity of suppliers working together, so that when we identify a suspect component or part in our network, there is something sitting there, warmed up and already integrated, ready to be swapped over. That is where we want to get to.

Dr Louise Bennett pointed out that there are many parts to this network; it has lots of legacy pieces. It is not a bad thing that our network is comprised of many diverse parts—that makes it less vulnerable to a single point of failure. Someone pointed out earlier that there is the idea of the weakest link—something is only as good as its weakest link—but actually, a diverse system with many different types of vendors involved is harder to take down. Maybe you can take down part of that network, but the whole thing will not fail if just one part is compromised. I think diversity is the answer to resilience in this case, and we should be looking to head in that direction.

Q Just to be clear, is your critique of this legislation that you feel that something is missing from it? Or, given that you think breaches are a case of “when” rather than “if”, which I am happy to accept, is your critique that no one piece of legislation could totally protect us from this, and that it is about what the whole sector is doing to keep us secure?

Dr Bennett:

It is partly to do with what the whole sector is doing, but I think some things have not had enough emphasis in the Bill. One of them is what I have called the asset database. Those of us who were involved with the millennium bug know that we spent a hell of a lot of time trying to understand what the asset database for all our networks was, in order to find the components that were likely to cause a problem. I assume that the tier 1 suppliers and our main network suppliers have a comprehensive asset database, but you actually need a well-secured asset database that goes down to the component level. Over time, as you maintain it and move some components out and other components in, you need to be clear about what has happened to them.

At a subcontractor level, that can often be extremely difficult to do. You can find someone who thinks, “Oh, it’s okay; I’ve replaced that with something, and the spec looks similar.” The spec may look similar, but when someone says, “Actually, it is version so and so of such and such a component from such and such a supplier that you now need to take out,” you will find that you do not know in your asset database that you have some of those components in it. I could not see anything in the Bill that talks about the asset databases of the companies that supply the networks we are using, and I think that omission needs to be dealt with.

That leads to another point, which is about the processes for maintaining security over time. You may now be taking out all the Huawei kit and putting other things in its place, but that is happening all the time—that maintenance is going on all the time. There is no mention in the Bill of a technical advisory board focused on the provisions of the Bill, and that would be a very helpful addition. The board would perhaps be able to point out that there were new types of components coming in that ought to be looked at or considered and that ought to be recorded in people’s asset databases, and people should make sure that happens.

Leading on from that, I also think that the processes are not as transparent as they ought to be for Parliament. It would be helpful if there was a commissioner, such as the Information Commissioner or the Investigatory Powers Commissioner. That would be helpful in keeping an eye on what is going on here, and in order to be able to help policy makers and the Secretary of State to make the right changes.

I am just going to interrupt you there, because I am conscious of time and a couple of Members are indicating that they want to come in. I call Christian Matheson.

Q Thank you, Mr McCabe. I want to follow on directly from the answer that was given to Mr Johnston. This morning, I asked some of the larger mobile firms whether they had done a proper audit, they had an asset register and, when the orders came through from the Government, they knew exactly what to take out and where it was. Those were the largest mobile firms. They all expressed confidence that they did. Dr Bennett, are you suggesting that at that top level we should be querying that confidence a little bit? Perhaps you are suggesting that that confidence should not be taken as read, as we flow down through the rest of the sector from the top level.

Dr Bennett:

I would hope that those at the top level are clear about it, but I would be surprised if there were not occasions when they had used subcontractors to do maintenance and the imperative had been to sort out the fault ASAP. Knowing precisely what components had gone in could be wrong, and that might come up in an audit. I think it becomes more important as you flow down the levels.

When there is this desire, quite rightly, to bring in new and additional suppliers, those suppliers will need help to ensure that their parts of the network are working well. Again, I would suggest that something that is not in the Bill but should be there is the type of sandpit that the City of London has done for FinTech companies, where new entrants can test their equipment against the type of networks that they will be interacting with. That would reduce the risks of security problems in that area and give everyone confidence that the lower tier suppliers are compatible and have the same level of security as the top level of suppliers.

Q Should there be some form of external audit of asset registers?

Dr Bennett:

Yes.

Q And who should do that external auditing?

Dr Bennett:

This is the type of thing that would be done by a commissioner. I think NCSC is well placed to be involved in that and things like sandpits. I am not sure whether Ofcom has all the resources it would need to be able to do that. But we also must remember that audits and responses to audits are quite expensive things. If we want the infrastructure to be secure over time, as we all do, we have to agree that that is an expense that we will have. That will make the whole system more expensive to maintain, because it is an important job.

Thank you. Mr Robson, do you want to add anything to that?

Julius Robson:

I think it is very important. One of our angles on this security Bill is that we see diversity as important not just for building resilience, but for delivering on the promise of 5G, which is to take mobile—which currently is about voice and data for people—and deliver it into organisations, to have e-health, smart industry and connected communities. To do that, you need a diversity in service providers. It is fair to say that mobile operators have done a great job of the outdoor national network, but perhaps not so much delivering into enterprise.

We want to ensure that when we implement new policies, like the telecoms security Bill, we are not introducing large barriers to entry to those smaller players that will come in and diversify our network. This talk of making everyone auditable is a workload that will drive us back towards a monolithic industry, where you have a small number of service providers, and only the largest vendors are able to service that. We need to ensure that whatever policy we implement looks forward and is workable for this diverse ecosystem that we aim for in 2025 and beyond, not the monolithic one we have today.

Q Dr Bennett and Mr Robson, thank you for coming in. I have listened intently to what you have said, and it is fascinating. May I offer an alternative view? First, the Bill itself creates new powers for the Secretary of State to make regulations. Section 105A is a duty to take proportionate measures, to identify and reduce risks. Section 105B is a power to make regulations imposing duties. Section 105C is a duty to take appropriate and proportionate measures in response to compromises. Section 105D provides for powers to respond to a compromise itself. The Bill is all about giving the Secretary of State powers to do things; it is not a panacea. So may I ask you to comment on two things? First, what you have referred to this afternoon is valid, but it will be covered in secondary legislation or in powers taken by the Secretary of State after the primary legislation has gone through. Secondly, the Bill should be seen for the framework that it is, and not as a panacea, which it is not.

Who wants to go first? Dr Bennett, I think that was mostly directed at you.

Dr Bennett:

I appreciate that it is a framework, but it is a framework that does not say that powers in certain areas are going to happen and how you might do it. I think the Secretary of State and the whole industry actually needs a lot of help to do this. The whole tenor of wanting to have things like the telecoms diversification taskforce and the 5G diversification strategy is absolutely right, but as you do that you are bringing in people to do these things who have less resources than the people currently in there. As Mr Robson said, they can afford the expense of the barriers to entry, whereas smaller players require assistance from the Government to enter this world without going out of business because of the impacts of the cost of compliance.

Q Mr Robson, what is your take on Mr Sunderland’s alternate view that this is a framework and it will be all right in the end?

Julius Robson:

It is a good point. I recognise that the Bill essentially describes a process of setting codes of practice and does not actually say what those codes of practice are. One thing I noticed is that the language of the Bill speaks very much to the problem we have today that there are only one or two viable vendors of networks. The open RAN movement is about ensuring that your network is comprised of parts from many different vendors, with hardware from some people and software from others, and a mix of providers doing similar things. The Bill must ensure that it represents that world. So where it talks of “public electronic communications network” providers, do we assume that you have to be a network provider—an end-to-end network—to play in this game.

I did read that the code of practice will define three tiers of telecom providers, with the biggest and most important providers subject to the most intense scrutiny and oversight. That is not expressed in the Bill—it is in the notes—so I assume it will come out in the codes of practice, but at the moment we do not have visibility of what that will look like. From our point of view, it is important to encourage companies of all sizes to be able to play in this game, so proportionate legislation is important.

Do you want to come back, Mr Sunderland?

No. Thank you for the answers.

Q I am the shadow Minister for the Bill. Let me start by welcoming you and thanking you very much for your expert input. I particularly welcome you, Dr Bennett, for your expertise and the fact that you are the only female witness we have today—it is clear to me, as someone who worked in engineering for 20 years, that the sector’s gender balance has not improved. I hope that Parliament can do more to ensure more balance in witnesses in future.

I have questions for both of you, but let me start with Dr Bennett. I was impressed by your structured list of things that are missing from the Bill, because we are here to scrutinise the Bill and see how we can improve it. I think you talked about the breadth of the security challenge and how this Bill, as it stands, might not meet the full breadth of it. You had four areas, and I think you have run through two of them in more detail. Could I ask you to summarise again the areas that you think are missing? In particular, could you talk a little bit more about the need for improved scrutiny? Could you just summarise that and then go into more detail on the ones where you have not yet?

Dr Bennett:

I said that the areas that needed to be covered were network architecture, which is the Bill’s focus, the security of the asset databases that make up the network, how to ensure security of the data passing over the network, the maintenance of security over time, and the operational costs and other impacts of compliance. I have touched on all of them, but perhaps not very much on the operational costs and impacts of compliance.

The more diversified your network, and the more small vendors there are, the harder it will be for them to maintain the level of scrutiny, record-keeping and general security that is required as their bits of the network develop and the interfaces they have with other bits of the network change over time. That is an area where the Government should consider giving help to people to cover those costs. I have said that audit is needed of the assets in the network. The costs of being audited and of dealing with audits are very high, and they are costs that small companies may not have the resources to meet.

If the Government suddenly say, “All components from supplier X must now be removed from the network because of x, y and z,” it is incumbent on the Government to have some funding to help people to do that and to ensure that that really does happen, because it could be a step too far if you have a lot of very small suppliers that do not have the resources of skills, time or money to do it. You need to think about that and about how you can ensure that they are not squeezed out of the network—this diverse network that we want—by those costs.

Q To follow up briefly on that, I think what you are saying is that there might be a contradiction between the desire to have a more diverse supply chain, with more smaller players, and increased regulatory and other costs in this. With regard to network architecture and data flows, you make a very good point: we have been concerned about high-risk vendors, designated vendors and so on, but that will not address the issue of securing data flows. Do you have any thoughts, and are you suggesting that more thought needs to be put into that aspect of network security?

Dr Bennett:

I think most people would agree that the diversity of end points, of interfaces and of applications running over complex networks all pose security problem areas. The more of those you have, the more resilient your network might be on the one hand, because there are multiple parts, but on the other hand, the harder it is to maintain them adequately.

We see some of these problems today in the decision to move the copper out of the network. Applications that are very important to many users, notably alarm signals, are ones that often assume they have an underlying network of a particular type, and if it is not there those applications do not work and they do not work suddenly. These types of things are very complicated but are actually very important for the end users. It may be an alarm that says an elderly person has fallen in their home; it may be an alarm that says your bank has been attacked by a criminal gang. Who knows what it may be? But those types of things are the types of applications that run over these very complex networks, and unintended consequences can happen as you change the network architecture. If those tier 3 suppliers and the people providing key applications over the network are not involved in this conversation at the CNI level with the top-level suppliers, all sorts of unintended things can happen.

It is a question of how you make sure that you minimise the number of these unintended consequences and support people to realise what they need to do early on, so that they are not caught out by them.

A very good point.

Q I just want to check if Mr Robson has got anything he wants to add at this stage.

Julius Robson:

We are discussing the use of the mobile network for new and innovative services, such as worker alarms or falling-over alarms. Actually, there are some smaller players working in specialised industries that understand those customer requirements probably better than mobile operators, and that are very used to dealing with them. In fact, many of the applications for mobile are those that already exist in proprietary and bespoke wireless systems today and that we would want to move on to mobile. Some of the newcomers probably understand these things better than others and the diversification policy is about bringing in that expertise—those industry specialists who understand these requirements.

I would also say that, yes, the network is complicated—radio wireless networks, with lots of endpoints—but intrinsically the wireless medium is insecure. Anyone can listen in to it; it is possible to modify the signal. It has been designed so that everything going over it is secure and protected, and those security paradigms are locked up in the core, so that there are parts of the network that you do not have to worry about, because the information has been secured at a higher level.

I think this was mentioned by Andrea from Vodafone this morning: it is really important for us to understand which parts of the network are in scope of the security rules and which bits we do not need to worry about. The air—anything in the airwaves—is intrinsically already easy to eavesdrop on or modify. So obviously that is out of scope. I think we do not have to get too worried about certain parts of the network.

I am just going to go to the Minister; if there is time, I will come back. Minister.

Q Thank you both for what has been a really interesting discussion. I wanted to ask, partly because you mentioned it specifically: when it comes to looking at other parts of the network, such as the internet of things, are you aware of the work that we have been doing—for instance, in October we published work specifically on regulating smart devices—and do you see that sort of work as being complementary to the kind of work that we are talking about here today in relation to the Bill? Perhaps once you have dealt with that, we can deal with the Bill itself.

Julius Robson:

I think it is important. What we are looking at in the 5G era is the application of mobile technologies for specialist industries, and it is entirely relevant that those industries have their own requirements for security and other requirements that apply on top of what is necessary in the basic mobile network. I do not think we need to duplicate that effort. Where we are using mobile in certain scenarios, the scenario should define the requirements. The base level of mobile connectivity should be something suitable, and affordable, for the consumers and the masses.

Dr Bennett:

I am aware of the work you have been doing on security for the internet of things. I think it is complementary and extremely important. Everything should have security by design in it. It is very important to cover these types of points.

Q In saying that, it seems to me that it supports the point of view expressed earlier, that this piece of legislation should not be expected to do everything. It is part of a broader Government response. You laid out a lot about what you think a secure network looks like and what its characteristics might be. They are not controversial in themselves. The point of debate seems simply to be whether those are for a regulator to define and be able to update on a regular basis, because we need to able to respond, or whether they should be on the face of the Bill.

I would have expected you to say, if I can put words in your mouth, that you would like the agility of the regulator’s ability to update those codes of practice, to be able to say to networks, “This is what secure looks like. If you are complying with these kinds of codes of practice, then we will be able to understand that you are meeting the requirement.” You seem to actually be saying that you want greater rigidity. I am interested to understand whether you would like the codes of practice to have the flexibility offered by the writing from the regulator or whether you would like to see them on the face of the Bill.

Dr Bennett:

I think we actually want both. There should be mention in the Bill of some of the ones that I think are key, so that people realise that there is going to be a code of practice on that they should follow. It is very important to be able to be agile and to get early information, from something like a technology reference panel, about things that are coming along, in order that you think about them before they get attached to the network. Trying to do it after you have attached something to the network is frankly a nightmare, so you need to be anticipating. It is not clear that there are mechanisms for that anticipation in the Bill.

Given the SolarWinds Orion hacking, which is a recent example of something that will take a long time to sort out and is precisely what you do not want to happen in the future, it would be sensible to get someone like NCSC to test whether the things in the Bill, and things that should be in the Bill, would have enabled the mitigation of that problem to happen faster than it has. The Bill ought to be doing something like what the Americans are doing in response to that now. The Government should consider a rapid response, co-ordinated unit to deal with similar incidents in the future, because they will happen. That is the kind of thing that ought to be in the Bill to say, “This is how we are going to be able to mitigate these problems when they happen, as quickly and sensibly as possible.”

Q I suppose, in a sense, you are already seeing some of that, are you not, with us already publishing the draft designations, the draft directions and some of the secondary legislation that would be enabled by this Bill? I think you are arguing for as much transparency as possible, of the sort that you have already seen from the extensive NCSC blogs on what the standards might look like. I do struggle to see how you would put that on to a statutory footing in the way that you have described without constraining some of the agility. Fundamentally, however, your argument seems to be in favour of transparency above all else.

Dr Bennett:

Yes, and anticipating things as early as possible.

Chi, we have time for another quick question. I think you had a point that you wanted to come back to.

Q I did have a question. I also wanted to say that I think Dr Bennett’s point is about transparency, but also about anticipation, responsiveness and a fast response regime. My question is to Mr Robson. You are the Small Cell Forum and you have put a big emphasis on diversity in the supply chain. I think you said—I do not want to put words in your mouth—that security requires diversity in the supply chain. You represent potential small providers. Is there anything that the diversification strategy needs to do that it does not do to better support the entry of smaller players?

Julius Robson:

Thank you for that question. I have mentioned chipsets, which are important, and lots of people have talked about software and open RAN. The specialist base station chipsets are an important component, and if we can make them available at scale, which is something that we work on with our FAPI—our functional application programming interface—I think that will really help to fuel the diversity of equipment providers. That is one aspect.

Another aspect—I am not sure how well it is coped with in the consideration of the supply chain—is diversification at service provider level. As I have mentioned, mobile operators are the main service providers for mobile services, but they partner with other providers, particularly ones that work in specialist environments. There is a particular type called neutral hosts that can offer multi-operator services. If you wanted to connect to a hospital, it would not be any good to have just one operator service and have only a quarter of the people served. You need all of them served, and that needs to be done affordably. We want to make sure that the partners of mobile operators, such as neutral hosts, are supported in legislation.

It is also about recognising, as has been mentioned, the challenges of getting the hardware out. You can scale software just by selling it to more people, but hardware needs more feet on the streets and more deployers. We have to look at how we go about enabling more people to deploy mobile infrastructure into communities and industry, so that more people are aware of how it works, which means making the system simpler. From a security perspective, we need to recognise that there are parts of the network that need to be kept secure, and there are parts of the network that are out of scope of that.

Q I would be interested to hear more about what is out of scope, because my understanding was that the Bill covered all aspects of telecoms security.

Julius Robson:

Just to make the point that you do not have to worry about every last resistor—components were mentioned—and every piece of equipment you have. As I pointed out, the radio airwaves themselves are also not secure. The whole system is designed to securely operate over an untrusted environment. In standards, we have the concepts of trusted and untrusted networks. Typically, you can operate your mobile network over the internet, which is considered untrusted. It is important that we recognise that paradigm.

I would say that all service providers are well accustomed to working with the level of security that the mobile operators and the regulatory regime demand, so we are happy with that. I just hope that we do not introduce new burdens with this legislation that stand in a way of diversification.

Looking around the room, I think that is it. In that case, I thank Dr Bennett and Mr Robson for their evidence. We are extremely grateful to you. Thank you both very much indeed. That brings this session to a close.