Examination of Witnesses

Telecommunications (Security) Bill – in a Public Bill Committee at 9:25 am on 19 January 2021.

Alert me about debates like this

Professor William Webb and Emily Taylor gave evidence.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering 9:26, 19 January 2021

We now resume the public sitting. Welcome to our third session of oral evidence on the Bill. All our witnesses today will be giving evidence by video link.

Before calling the first panel of witnesses, I remind all Members that questions should be limited to matters within the scope of the Bill, and that we must stick to the timings in the programme motion that the Committee has agreed. For the first panel, we have until 10 minutes past 10 o’clock.

I now call the first panel of witnesses: Professor William Webb, CEO of Webb Search, and Emily Taylor, chief executive of Oxford Information Labs. Would you please be kind enough to introduce yourselves for the record and make a brief opening statement? We will start—ladies first—with Emily Taylor.

Emily Taylor:

Thank you, Mr Hollobone. Good morning. My name is Emily Taylor. I am a lawyer by training. I have worked in the internet environment for more than 20 years. I am CEO of Oxford Information Labs, a cyber-intelligence consultancy. We are actively involved in standards organisations such as the International Telecommunication Union. I have authored papers on 5G and geopolitics, and on China’s efforts to standardise a new internet. I am an associate fellow at Chatham House, editor of the Journal of Cyber Policy and a research associate at the Oxford Internet Institute.

I have listened to the evidence that you have heard so far, and in three areas I think I can bring new information or offer alternative perspectives to the Committee. Those are: why standards matter and what China is doing in standards; the need for a holistic approach to minimising cyber-security risks across critical national infrastructure and especially supply chains; and the China containment strategy and whether there might be more positive alternatives. I have several drafting points to make about the Bill itself, which I am happy to explore with you if time allows. I am of course happy to answer any other questions that you would like to put to me, within my capabilities.

Professor Webb:

My name is William Webb. I am an engineer by background. I have worked as a telecoms consultant for many years, and that is what I do now, advising regulators, operators and manufacturers around the globe. Most relevant to this Committee is perhaps that I spent seven years at Ofcom, helping it with radio spectrum and technology strategy. I spent 18 months at the Department for Digital, Culture, Media and Sport, helping it with its 5G programme. I have also co-founded a start-up in the telecoms space, so I understand that area.

Potentially, I can help the Committee on the security side by looking at whether we can be sure that we are being proportionate in our response to security issues. I can certainly help on the diversification side by talking a little about the strategies of operators, the potential role of open radio access networks and other such diversification strategies, and perhaps some of the better ways to deliver diversification in the future.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering

Thank you very much indeed. I am now in Members’ hands. Who would like to be first out of the blocks? Kevan Jones.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Thank you both very much for agreeing to come before us this morning. Emily, will you expand on standards issues and how important that will be to how the telecoms sector develops in the future? Who are the leading players in setting standards? You clearly made reference to China trying to get a set of regulations to suit itself. Where are we on what has been described in many documents as the D10—trying to get the democratic nations to influence that agenda? How do you see the way forwardQ 82?

Emily Taylor:

Thank you very much for those questions. The first aspect is why standards are important. Standards development can be very long, drawn-out and not the most interesting thing to participate in, but they are vital both for our security going forward and as part of the diversification strategy. Dominance or over-reliance on a small number of players is bad for innovation, security and procurement. It is great to see the importance of standards coming through in the diversification strategy that has been published. Although standards can take many years to be created, they also hang around for many years, so if we miss the boat with a particular standard when it is critical to a new industry or technology, that can have a lasting effect on our domestic and international industries.

Many scholars, such as Laura DeNardis, have pointed out that technology is not neutral, and this really applies in standards. By accident or design, standards embed the attitudes, values and world view of the engineers who create them. That has not really been a problem for western countries to date, because the US and European participants have tended to dominate, but going forward we need to find a new way of coping and co-existing with a technological superpower that does not share our values and that has invested heavily, with a strategic approach to standards, for several years.

You asked who the leading players are in standards, and in particular you alluded to the role of China. It is quite telling to reflect on the number of leadership positions across the standards organisations environment currently held by Chinese nationals. Of course there are many standards organisations, including the Internet Engineering Task Force, the International Telecommun-ication Union, which sits within the UN, and bodies such as 3GPP—the 3rd Generation Partnership Project—and the European Telecommunication Standards Institute. The Chinese players we see, not just from the Government but industry, include Huawei, Futurewei, ZTE, China Mobile, China Academy of Telecommunications Technology, and Tencent. All of them are active in standards.

The ITU is headed by a Chinese national, and of 11 working groups within the ITU’s Telecommunication Standardisation Sector, or ITU-T, China has a chair or vice-chair in 10, and a total of 25 positions at chair or vice-chair; 135 so-called “questions”, which are sort of agenda items across those working groups; and 87 rapporteurs. I could go on, but I think the point is made.

On where we are with a D10, as you know, the Defence Committee has quite majored on the idea of a D10—indeed, the idea has been going around for several years. The key element as I understand it is a recognition that this country needs to act with others to have a chance of having the coverage and investment that China has had, and that there are like-minded countries that we can partner with across standards, and also to reinvest in domestic or shared capability for manufacturing. Manufacturing has been leaving western countries for more than 30 years and we are now seeing the effect of that. It is all very well to worry about the rise of China, but if at the same time you are asking China to make absolutely everything, it is inevitable that there will be some technology transfer.

Of course, the D10 does not exist. The idea of a Five Eyes type of thing that would also morph into an economic and legal type of partnership also does not exist. Five Eyes is an intelligence-sharing network, not an economic bloc or a trading bloc. So there are challenges, but there are also opportunities for partnerships.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Q It is quite clear from what you have said that China has been active in this sector. That is not unusual; China has done similar types of things in other international bodies. Have we in the west taken our eye off the ball in terms of representation on these bodies, and what will it take to step up to the plate and be involved in these standards settings?

Emily Taylor:

It is a bit like waking up halfway through a chess game and realising that you are about three moves away from checkmate. I think we have taken the eye off the ball, although the UK has been strong on standards and has invested in them, but we cannot match China, where we see the fruits of a patient long-term strategy. It is all laid out in the “China Standards 2035” document, but some people in working groups say that they get more than 100 papers to deal with just before a meeting.

There is a sense that we are losing a grip. Part of that is that we did not realise how far standards embed our values until we started to see the alternatives. New IP is something that we have been writing about and studying over the last year. That is China’s efforts to standardise effectively an alternative architecture for the internet, which would not be compatible with what we have today. That is at quite an advanced state across numerous working groups within the ITU.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering

Professor Webb, would you like to respond?

Professor Webb:

I certainly agree with all that. I have written standards myself and even run a standards body, so I know how they work. The important point is that it is not possible for a Government just to say, “We are going to influence that standard.” Standards are influenced by the working papers written by the companies that attend the standards body. The UK Government themselves could not really have an influence, and nor could a university or any other organisation like that, not unless they spent inordinate amounts of money and hired a lot of people to write a lot of papers. There needs to be a concerted global or western European effort, or some kind of larger scale activity that can help the larger companies with the resources and expertise and the standards bodies to step up their efforts.

Photo of Sara Britcliffe Sara Britcliffe Conservative, Hyndburn

Good morning, William. You alluded to this in your introduction, but what are the main risks to the Bill achieving the Government’s aims for the security of the telecoms network? Can you expand on how you believe these could be mitigatedQ ?

Professor Webb:

I think the Bill is fine when it comes to potentially delivering the security desires. It seems to be a very flexible Bill and has the capability to do all those kinds of things. My key worry is more one of proportionality. The Bill essentially says everything must be done to make sure that networks are completely secure. Of course, security is extremely important, but we could have a situation where there is a very tiny risk of some security breach but the mitigation is inordinately expensive, and that might result in higher consumer costs for mobile phones.

Ofcom will need to weigh up that proportionality and make sure its response is correctly balanced, but I do not see that in the Bill. I worry that the risk aversion that I think will happen automatically with the regulator may result in excessive security measures that penalise consumers when they are not particularly necessary. That is my biggest concern looking at the current structure.

Emily Taylor:

I agree with William’s overview of the Bill. It is great to see that the industry welcomes it. We heard from Ciaran Martin yesterday in his evidence to the National Security Strategy Committee that industry asked for this, because it had reached the limit of what it could do on a voluntary basis. It is great that it will lead to substantial investments and security. The telecoms security requirements are almost a recipe book—a very clear set of instructions on how to build more secure networks, which is great, particularly the focus on securing the management plane.

However, as William has described, in certain scenarios, there are almost unlimited liabilities for providers, not just to their customers, but to every person who could be affected by a contravention under clause 8. The inspection notices give very wide powers, including entry to premises, and the provider pays for that, so there is not much incentive for Ofcom as the regulator to think about whether this is justified value-for-money-wise and how to target interventions. I could go on, but the other question I have is about Ofcom’s capacity in this sector, because it will have to acquire a very specific set of skills and capabilitie,s and that will require substantial investment and learning as an organisation as well.

Photo of Sara Britcliffe Sara Britcliffe Conservative, Hyndburn

Can I just quickly follow up with both witnesses? Were you consulted on the Bill prior to this?Q

Professor Webb:

No, I was not.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

It is a pleasure to serve under your chairmanship again, Mr Hollobone, and thanks very much to the witnesses for joining us this morning. I should declare that William and I worked at side-by-side desks at Ofcom for some years, so I am well aware of his expertise in this area.Q

I have a couple of questions, starting with you, William. We heard from Mavenir on Thursday that open RAN could provide 2G, 3G, 4G and 5G networks now, but the operators were not looking to purchase networks from it. What is your view on the accuracy of that statement and the maturity of open RAN? What challenges does that pose with regard to the diversification strategy set out by the diversification taskforce?

Professor Webb:

Thank you, Chi. I am sure Mavenir is correct that it can sell equipment that can do 2G, 3G, 4G and 5G, but that is not sufficient for an existing operator. If an operator wants to put this equipment into its network, it needs to work with its network diagnostic systems; it needs to handle all of the various features that it might deliver to customers, businesses or whatever, or that it might use for optimising its network or the various software systems that it has. It has built these up over 20 or 30 years, so adding in the equipment is a lot more than simply ticking the box and saying that it can transmit 2G or 3G. That takes quite some time, particularly with the more complex base stations that we find in city centres. The ones in rural areas are typically much simpler and less problematic if they go wrong. That is why we see people like Vodafone trialling open RAN in those places.

Although Mavenir has all the ticks in the boxes, it does not yet have work-through with the operators to deliver something that really works for all of its network. As we have heard from the operators, that is a long, slow process. The operators are rightly risk averse—they do not want to rush out a whole load of equipment and for their networks to fail after a few months, with all the problems that that would have for consumers. So it seems to me that we are still some time away—I think the operators have said five, six or maybe seven years—from any significant deployment of open RAN. That sounds very plausible to me as a strategy for evolving a network. Of course, by the time you get to that point, they will have deployed most of their 5G network already, so it feels as though open RAN will be too little too late to have a significant impact on diversifying the 5G networks that we have in this country and that we will have for the next few years.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

Q What would your recommendations be in terms of an effective diversification strategy? Where is the capability strong?

Professor Webb:

If I wanted to diversify, I would instruct the telecoms operators to diversify. I would not try and pull the levers one step removed. I would say to the telecoms operators, either with a carrot or a stick, “You must diversify. If you have x number of vendors in your network, I will give you £x million as a carrot.” The stick might be some kind of licence condition that said, “In order to meet your licence, you have to have at least x number of vendors in your network.” That seems to me to be the way to pull through, and then the operators can decide whether they want ORAN, something like NEC or Samsung or someone like that. They can make that choice and that will pull through the decisions to them, rather than the Government trying to decide on their behalf what the best technology for them to use might be.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

Q Emily, what other security threats are not fully addressed by the Bill? How can we ensure that our networks are resilient to future security threats? I am thinking of the consolidation in cloud services, for example. As we move to more software-based networks, more and more of the value is in the cloud services. Say, for example, Amazon Web Services was bought by a Chinese company. Would you consider that a threat to the security of our networks?

Emily Taylor:

Thank you very much for those questions. As a general point about the cyber-security of critical national infrastructure, I feel a little like we have been fetishising 5G and a single company for the last two years, perhaps at the expense of a more holistic awareness of systemic cyber-security risks. Ciaran Martin spoke eloquently yesterday about the need for flexibility in what critical national infrastructure is. The last year has shown us that what is critical very much depends on what you are going through at the time. Healthcare systems probably would not have been top of the list two years ago, but now they are. The SolarWinds attack shows that the identity of the vendor is not always the key risk point. SolarWinds is a very trusted vendor from a like-minded, close ally country, and yet it turns out to be a critical single point of failure across key, very sensitive Government Departments, both in the US and the UK.

Thank you for talking about consolidation across cloud services, Chi. One of my reflections on open RAN is that, although, of course, I am excited at the idea of open, interoperable standards, which would prevent vendor blocking, most of my experience has been in the internet environment rather than the mobile environment, and we are replete with open, interoperable standards, but we have a major competition problem. That in itself is not going to be enough of a lever to secure diversification.

On the point about acquisitions, particularly where you have cutting-edge technologies coming through, this country is really good at R&D—we have wonderful universities full of very brainy people who are creating things—but there does not seem to be the follow-through to create world-beating companies that can compete across the world stage. Why is that? It is because they either get sold to the US or to China. Of course, the foreign investment security strategies are all part of this as well, but you make a key point. If Amazon Web Services was sold to a frenemy country, that would potentially introduce the same kind of, at least theoretical, security risks that we have been troubled by over Huawei and 5G.

It is also the case that consolidation of infrastructure providers, like the cloud providers, is a security risk, because they become too big to fail. There was a brief outage of Google just before Christmas, and people just cannot work. When Cloudflare or Dyn go down, they introduce massive outages, particularly at a point where we are all so reliant on technology to do our work. These are security risks, and that highlights the need for a flexible approach. You have to be looking across all sectors.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

Q I see that William wants to come in. I just want to say that we have also been told that there was a major difference between fixed and mobile architecture when it came to security issues. You seem to be saying that there may be differences, but there are security issues within fixed networks as well as within our mobile networks.

Emily Taylor:

Generally, our standard of security across the board is not as high as it should be.

Professor Webb:

I realise that Chi had also asked me how the UK can strengthen its ability to provide diversified supply chains, and I did not address that.

I want to pick up on something Emily said as well. I think she is absolutely right—the UK has a great number of really excellent engineers, both in universities and in leading consultancy-type organisations. Here in Cambridge there is a plethora of wonderful consultancies and start-up companies. In my experience, the biggest problem is actually finance. To try to raise the finance to get a start-up company off the ground, particularly one that sells to operators who have huge purchasing power and tend to squeeze all their vendors—quite naturally—is very difficult in the UK. It is much easier in the US. Addressing the ability to provide finance for those kinds of entities and, to Emily’s point, allowing them to exist for many years rather than to be bought as part of that financial process would help more than anything else, for the UK to grow its own major players in this space.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

Q Thank you for your comments so far. You will have seen in the diversification strategy that we completely agree with the points you have made around standards and the importance of international co-operation, so I will not go further into that. But it is interesting that a lot of what you have talked about is the diversification strategy rather than the Bill itself. In terms of where we have put increased duties on Ofcom, for instance, where do you feel that there should be more in legislation, rather than in the diversification strategy itself? It seems that tying our hands is not what you are asking us to do, but there is obviously a balance there, isn’t there?

Professor Webb:

Yes, I think there is a balance. I do not have strong views on that. The legislation appears to be sufficient and flexible in this space. I think the issue is the way it is implemented, and particularly the downstream actions of the Government and of Ofcom might need a bit more care.

Emily Taylor:

The legislation is creating a framework, and a lot of that will be filled out through statutory instrument and the codes of practice that are envisioned. I imagine the codes of practice will reflect the TSRs to a large degree. Thinking particularly about how the legislation might impact on the wish and the essential need to diversify, it imposes very high levels of liability for providers, and almost unlimited duties on everybody for the smallest infractions. That is William Webb’s point about proportionality.

As the measures come to life through secondary legislation, codes of practice and the actions of Ofcom, it is going to be very important that there are checks and balances. I am not sure whether the Committee is hearing from any civil society groups, but I am sure they would be worried about the very wide discretion for the Secretary of State. There is a lot of concentration of power in the Secretary of State and, perhaps, insufficient safeguards, as things are currently drafted.

Also, on the provisions that relate to the identity of the supplier—the nationality—rather than the qualities of security, which I think are the more relevant points, of course identity and nationality can be relevant, but there may need to be more of a look there to ensure that we are on the right side of potential risks of discrimination.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

Q In response to that, it is worth saying that there will never be such a one-dimensional approach as the one you have described, and I do not think you are suggesting that there is. However, I think we agree that there is a balance to be struck, and, inevitably, that comes in a whole series of advice from agencies and other entities. I was interested in something that Professor Webb said about the carrot and the stick. How would you propose that Governments or, I suspect, Ofcom incentivise operators to provide the greater security that you have been talking about?

Emily Taylor:

I think that was a question to Professor Webb.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

It was to both of you, to be fair, but I did mention Professor Webb.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering

You will both get a chance. We will go to Professor Webb.

Professor Webb:

I am certainly all in favour of placing the requirements on those best placed to deliver them. For diversification, that is certainly the operators. I talked a bit about how you could, for example, offer them some financial incentive to have a more diversified supplier base. That would make some kind of sense, given that this would add costs to their management of the network.

In terms of security, I think it is a bit more difficult to see how that one might follow. I can imagine that there might be certain security issues where, for example, the decision might be made that a replacement is needed for a certain component in the network, or that they need to purchase some additional elements, and then you might imagine that it might help to have some sort of financial incentive to do that. But I think that would be on more of a case-by-case basis—I cannot see a clear, catch-all type of approach that would enable that.

Emily Taylor:

I very much agree with what Professor Webb has said. Indeed, one of my reflections on the draft Bill is that it is very much at the stick end rather than the carrot end. Maybe we will start to see a bit more of the incentives coming through as the detail is filled out. But I think that thinking about incentives would very much reflect the close working relationship that there has historically been between the industry and Government. That is not the case in every country; it is actually a benefit in this case.

Security is expensive, and it is also long term. The telecoms supply chain review last year put it very accurately: the market does not reward investment in security—quite the opposite—so I would hope that there would be some recognition from Government about what is needed. I do not think that the investment in the diversification strategy is nearly going to match the investment that is required by the mobile providers who—yes, they are very successful large companies—have not had the great decade that, say, the Googles of the world have had in terms of their margins. So you are asking an already squeezed sector to make substantial investments, and I think that is the place where you could be looking at incentives.

Photo of Chris Matheson Chris Matheson Shadow Minister (Digital, Culture, Media and Sport)

Ms Taylor almost answered this question, but I just want to press both witnesses on this. The Minister referred to Professor Webb’s comment on “carrot and stick”, and obviously we are very keen to see diversification of suppliers increase in domestic capability as far as possible.Q

There is one way of looking at this legislation, which is that it can provide a market-led opening for suppliers, in a market that is no longer, in the long term, going to be distorted by, for example, Huawei, with its state backing. Is there any evidence, therefore, that other suppliers—first tier and lower suppliers—are looking at this and thinking, “There is a chance here to get back into the game”?

Ms Taylor, you talked about security being quite a difficult and expensive barrier to overcome, but are there any discussions in the wider sector about there being an opportunity to be had here, or about whether, actually, a stronger diversification strategy is necessary?

Emily Taylor:

The initiative is welcome—the diversification strategy is welcome—but, as Professor Webb has described, there are many barriers to entry for new suppliers. To build out an entire country’s network requires substantial scale, and, very understandably, the operators are risk-averse. You cannot just turn up and build out a network; open RAN is exciting, but, as you have heard from witnesses—and this morning, from Professor Webb—it is not ready, yet, to build out an entire country.

Also, the market distortions can still happen despite a diversification strategy. You can well imagine that the companies that decide it is attractive to enter this market are not, perhaps, the cheeky start-ups that you would want to encourage; they would be already dominant in other sectors. Imagine if we were sitting here, in five or 10 years’ time, lamenting the fact that the equipment market is now dominated by Microsoft and Google. I am just making that up as a hypothetical example—I have no knowledge to back that up—but those are the companies that have the sufficient scale and skills, and as Chi Onwurah said in her question we are moving to a more hybrid network, where skills in cloud computing and software are going to define the success of the player.

Professor Webb:

If you want to encourage a new entrant—be that a company that has some skills in this space but is upping its game to develop a complete system, or a brand-new company—they have got to develop the equipment, and that involves developing a lot of software and hardware, and an awful lot of effort and investment. If you add yet more requirements on them—for example, security requirements—that makes their effort even harder; it makes it even harder for new entrants to compete with existing players, who have already made much of that investment, to have the scale and capability to add on that extra. Adding security is the right thing to do—I am not criticising that—but the implication is that it will make it harder to diversify the supply chain. What you want to do is make it as easy as possible for new entrants, with the minimum requirements on equipment, if you want to bring a larger number in.

Photo of Chris Matheson Chris Matheson Shadow Minister (Digital, Culture, Media and Sport)

Q It would level the playing field, would it not? Everybody is having to work to the same level of security standards, rather than others thinking they can jump in there and cut in.

Professor Webb:

I am not sure it would quite work like that. I think the operators would always want to procure to a certain security standard, whether there is legislation or not, so everyone would have to get to that standard. Raising the standards bar would essentially require everyone to move up higher above that bar.

Emily Taylor:

If I may, just to support Professor Webb’s point, the security standards do not level the playing field, although they are the right thing to do. In just the same way as we have seen some of the perverse consequences of, say, GDPR, the companies that have the scale and capacity to absorb the cost of compliance fare better than the smaller companies, who really do not have the scale and capability. The disincentive to enter the market, or perhaps the incentive to exit the market, as a result of these requirements, hits precisely the type of companies that you want to encourage, although it is welcome to see some recognition of that in the factsheets, with the tiering system. The third tier would probably let the smaller independent ISPs and providers off the hook. It is not quite correct to view it as the security requirements levelling the playing field. They are definitely required, and the market is not delivering that, but it will require close monitoring, I think, to ensure that there is still a competitive market.

Photo of Chris Matheson Chris Matheson Shadow Minister (Digital, Culture, Media and Sport)

Q If I have got it completely wrong, feel free to say, by the way, that I have got it completely wrong, because you are the experts here, not me.

Finally, could you sum up the chat around the sector at the moment? I get the impression that you are suggesting there is still a way to go to bring confidence that we can diversify across the broad range of the sector, as a result of this proposed legislation, and that there is still more reassurance and consultation required.

Professor Webb:

Certainly, as I look at the information that I get back on ORAN, there is a lot more scepticism than optimism throughout the sector about its ability to do anything in the short term. We have talked a bit about why that is the case.

There is potentially more promise from the vendors that are somewhat established—the Samsungs and the NECs—and there is generally better comment about their ability to do something. If I had to look at what I am seeing around the industry and bring some advice, it would be focused on those vendors, rather than ORAN, as the most likely source of diversification over the next few years.

Emily Taylor:

I can talk about the feedback that I have been getting. I come from a segment of the internet environment that has not historically been highly regulated at all. I would reflect that, if this Bill were brought forward to cover that sector, you would hear the screams. One thing that has really surprised me, and reassured me to a certain extent—it came through in the evidence you have heard—is that there is a degree of comfort with the direction of travel, and I think that speaks to the strong relationship that the industry has with Government on that.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering

We have five minutes left; I am afraid there is a hard stop at 10 minutes past 10 o’clock. Two Members are seeking to ask questions, so would our witnesses treat this as a quickfire round, with punchy, pithy responses?

Photo of Kevan Jones Kevan Jones Labour, North Durham

Q Can I ask for your thoughts about Ofcom being the regulator of security? Has it got the capacity or culture to ensure the security of the network, particularly in light of the ISC’s 2013 report on critical national infrastructure? That suggested that civil servants did not even tell Ministers about security threats. Would it not be better to place security with an agency that is responsible for security, rather than with a regulator that has a wide range of responsibilities?

Professor Webb:

I think that has already been mooted. I doubt Ofcom has that capability at the moment. In principle, it could acquire it and hire people who have that expertise, but the need for secrecy in many of these areas is always going to mean that we are better off with one centre of excellence, where the threats are analysed, assessed and understood. We have that, of course, in NCSC.

NCSC would advise Ofcom, perhaps at a high level. Perhaps they would not need to detail exactly what the issue was, but they could talk to Ofcom about the mitigation, and Ofcom could be the entity that performs the proportionality of understanding whether a threat needs to be addressed and to what extent, in the midst of all the other things. That is how I would arrange these organisations.

Emily Taylor:

Thank you for this question, which goes to both the capabilities and the culture. With the capabilities, as I have said in earlier remarks, Ofcom is going to need to upskill. In reality, as Professor Webb has said, they are going to be reliant on expert advice from NCSC, at least in the medium term, until there is a significant transfer of skills and technology, and in terms of the need for secrecy and a broader view.

Ofcom’s historical role has been much less interventionist than is foreseen in this piece of legislation. Those cultural changes go deep into the organisation and into the character of the people who work there. Cultural change is always difficult and takes time, so I would not underestimate the challenge.

Photo of James Sunderland James Sunderland Conservative, Bracknell

This is a very explicit question to finish with, but could I ask both of you whether, from a security perspective, you agree with the decision to kick out high-risk vendors from the network? If so, why?Q

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering

You have about 30 seconds each, I am afraid.

Emily Taylor:

I think it was inevitable after the US sanctions on semiconductor chips. It is something I regret, because the more difficult part is what we had being trying to do for 17 years, which is to treat all the networks as potentially vulnerable and adopt an evidence-based approach.

I do not think there is a going back from there. Unfortunately, the effect of the US sanctions has not just been on our domestic market. It will have hardened the resolve of China to have an entirely indigenous supply chain, and therefore will hasten exactly the outcomes that it is intended to avoid. We need a much more positive approach, investing in innovation and research, matching the capability and advocating for the benefits for a single, open and free internet.

Professor Webb:

I do not have strong views. I think it depends, but clearly if it is high risk then it is probably appropriate to exclude them. The worry I have is that you end up focusing predominantly on vendors that you think are high risk, rather than on the overall security challenge, which will be across all vendors.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering

May I thank both our witnesses very much indeed for your informative evidence this morning, and for giving us the benefit of your wisdom and expertise? We are very grateful to you. That brings us to the end of the time allotted for the Committee to ask questions in the first session.