Telecommunications (Security) Bill – in a Public Bill Committee at 9:26 am on 19 January 2021.
We now move on to our next panel, which is a solo performance from Dr Alexi Drew, research associate at the Centre for Science and Security Studies at King’s College London. Good morning, Dr Drew. Would you be kind enough to introduce yourself and make a brief introductory statement?
Good morning, and thank you for inviting me to present and give evidence as part of this Committee. My name is, as stated, Dr Alexi Drew. I have actually recently changed my position. I currently work at the Policy Institute at King’s College London, and my area of research is emerging technologies and their security and geopolitical implications. I have done a few pieces on Huawei in particular and the implications of supply chain security issues and risks, with publications in the Financial Times and so on, and that is why I find myself in your company today, I believe.
Thank you very much indeed. I am in the hands of Members. Who would like to ask the first question?
Q Thank youfor appearing before us today, Dr Drew. I would like your opinion on what the strategy is behind Huawei, possibly in terms of linking Huawei with the Chinese Government’s strategy in the telecoms sector. What is the bigger picture or vision they have for this sector?
I think the bigger picture is bigger than purely telecoms when it comes to China. China treats all its emerging technologies and its advancement of technologies—including telecoms, artificial intelligence and quantum research—as part of a broader means of advancing its influence, its economic strength and its geopolitical power on a global, regional and domestic stage.
Telecoms is a large component of that predominantly because, as I am sure you are all aware, the future of telecoms is essentially the provision of what will be the backbone of most of those other technologies; you require a good, advanced telecoms network to gain the full benefits of applications of artificial intelligence or quantum networking, for example. I think China and the CCP have essentially seen that telecoms is a key component of that and have thus done as much as they can both to strengthen the sector within China, and to export that to gain further routes for the future stages of implementing more technological growth and economic and political growth through the next stages of their emerging technology portfolio.
Q So the strategy is about market domination in certain areas?
I would say that is definitely the case. It is market domination primarily for domestic, good use: it is a mistake to think of all that China generally does as primarily internationally orientated. The primary interest is domestic strength, security and stability. The fact that that can be achieved through gaining dominance in markets outside China is an added benefit.
Q Clearly there is Huawei’s domination in Europe, but what is the strategy when it comes to belt and road? We have seen investments in certain strategic areas such as the ports in Pakistan, Sri Lanka and other places. What is its strategy for telecoms? Is it a similar type of initiative?
It is very similar. That is a great point to make. Pretty much wherever you see belt and road initiatives in, say, a port or supply chain of a physical good, you will see simultaneous investment and market input in a telecoms sense. There is a digital silk road as much as there is a belt and road initiative in the physical goods and supply chain sense.
They are becoming increasingly entwined fields; 10, maybe 15 years ago you could easily have seen a distinct separation between the physical supply chain and the digital supply chain. That differentiation is fading as we progress through time, and I think the Chinese have worked that out perhaps faster than we have and they are rapidly making inroads in order to amplify that effect and gain the benefits of it.
Q Thank you for providing your expertise, Dr Drew. We heard from one of our previous witnesses that the security aspects here might be part of, if you like, a battle for the heart of the internet when it comes to embedding values into the standards that drive it. You seem to be saying that that is a part of China’s requirements to monitor and surveil its domestic population, so I wondered what your thoughts were on that expressly.
Also, you have great experience in evolving security threats. In your view, does the Bill address major telecommunications threats to national security—future and evolving threats? For example, do you think this Bill would have helped to mitigate the impact of the recent SolarWinds Orion network monitoring hack, which was also mentioned by a previous witness?
I will start with the question of values. I am a great believer that technology and values and norms of behaviour are implicitly connected: you cannot separate them. It should be explicitly understood that it is an implicit truth. I believe—and I have stated this before to some of your colleagues and civil servants in various Departments—that the CCP has realised that the great firewall of China, which tries to police content within China, has holes in it and is not going to last, or was not going to last, given the direction that the internet, freedom of communication and transfer of information is going.
The next logical step, and what I believe is happening, is that if you cannot control the internet within the great firewall, it is better to be able to shape the internet everywhere, both outside and inside it. I would argue that a lot of the technological standard-setting that you see take place in the ITU and elsewhere is essentially that taking place, as is the use of social media platforms to harvest data, which is then used to aid in the censorship of domestic content within China.
With regard to evolving threats and the Bill specifically, I think that the Bill goes a very long way towards pre-emptively meeting threats that are likely to come in the future. My biggest issue echoes what I caught of the previous witness statements: the fact that it is a matter of capacity for the institutions that are given this responsibility—that is, Ofcom—and the ability to change their culture to actively engage within that framework and take action to ensure these standards are met and kept to. Those are my biggest queries about the ability of this Bill to be as forward-looking as we would like it to be.
Finally, with regard to SolarWinds, I think this Bill is aptly timed in a way, given the context of this particular threat. SolarWinds was a perfect example of a supply chain security risk, and a vector of attack that went through a diverse supply chain to meet what should have been some of the most secure systems that the United States had.
Telecoms will, as I have already said, be the backbone of all the UK’s future advancements of technology in all the things we are seeking to develop within our borders. The hardest thing to do as an attacker is to gain access. We should be making it as hard as possible to gain access; we should be making sure that there is as much oversight and understanding as is possible of where our supply chains go, the standards that they should meet, and whether those standards are being met, and I think this Bill goes some way towards that. I would argue that it needs to be continually updated, checked and maintained. This is not a one-off: times change, and the internet changes faster. Those would pretty much be my recommendations.
Q Thank you very much for that. The Bill does not create any incentives for network operators to diversify their supply chain, or place any requirements on them to make notifications of changes to their supply chains or their networks that could have security implications. There is no proactive requirement on network operators to do that, or to actively participate in standards development—and we have heard about the importance of standards development and the huge presence of China in that space. Do you have any thoughts about how we could address those incentives, and also the power of standards development?
The two essentially go together. If you look at the membership and those who take part in ITU standard setting committees and groups, you will see a predominance of not only state representation from China, but also representation of Chinese companies.
I think it needs to be made clear to our providers the benefits to them of being able to set standards; I believe this has been overlooked. The easiest way to do that is to simply look at some of the technical standards that have been set or lobbied for in this group by companies such as Huawei and ZTE, which are essentially entrenching their technical standards into a global standards body—that obviously gives them an advantage in producing that output. I think our companies could benefit in exactly the same way, and they would certainly benefit from taking part.
On having providers be more proactively involved, I think it would make complete sense for these actors to be made to inform Ofcom, or whichever regulator is chosen, of significant changes to their supply chains. It would be akin to having a black box where we go, “Okay, this black box must output something secure, but we don’t need to know how it gets there.” I think we should know, as much as is possible, who is involved in the supply chains to reach our eventual telecoms network.
Q Good morning and thank you for joining us, Dr Drew. In July last year, the Secretary of State made it very clear that the ban on procurement by the end of last year would have an effect on the roll-out. My question is: what will be the impact of the Bill on telecoms providers and infrastructure roll-out, as well as the 2027 deadline?
It is undeniable, as the previous witness stated, that this Bill will increase costs and potentially slow down the pace at which development of these technologies, to the standards that are now being asked for, can be done. I have been asked similar questions before about what is the cost of us not getting to 5G roll-out as soon as possible. My general response has been to point out that although 5G is a backbone technology that provides access, we have very few practical applications of the speeds and connectivity that this network will provide us with.
It is something that you might see on your phone, but the increase in speed from having a 5G connection will be almost so fast as to be unnoticeable to the normal user. We have not got to the point where we have large city-wide technologies that will draw on this infrastructure, such as traffic management, health systems and economic production systems.
Although there might be a delay and an increase in cost—which again, I think we should try to meet in a way that incentivises more players to come into this market—I think this delay is not crippling. That is because, at the moment, although the 5G technology itself is maturing, the uses of that technology are still immature and I do not think we are losing out too much if we have a slight delay, with the benefit of reaching greater security.
Q Can I just quickly follow up on that? I think you have answered it. Were the Government right not to quantify the impact of any delay in roll-out of 5G and full-fibre networks in their impact assessment?
I believe they were. I have seen a lot of attempts to quantify the damage or impact of limiting our vendor net, as it were. With the removal of Huawei, I have seen multiple attempts to put a value to that—of the slowdown and having to go to different vendors. I am uncertain as to the accuracy of any of those, and I think that it would be very difficult to put a number on that in any useful sense.
My impression is that there is nothing that should stop us from being able to enact the goals of this Bill and the incentives to diversify the market, while also being able to develop and invest in the next stage of 5G use, which is its actual application, and to marry those two up together in a manner that provides us with both security and financial and economic benefit from putting these systems in place.
Q Thank you for what you have said thus far. Some of it has touched on the National Security and Investment Bill, which I think is a complementary part of this. A lot of what you talked about regarding any reservations you might have was around, essentially, the resources for Ofcom—something that I think we will be talking about quite a lot in Committee. I am looking forward to saying that Ofcom will have all of the resources that it needs. I wonder how you think the Government could best demonstrate, beyond that short statement, that Ofcom is getting the resources that it needs.
I think what needs to be considered in that question is the type of resources that will be the hardest for Ofcom to acquire. I frankly believe it is not necessarily technology; I believe it is actually personnel. The edge that is given to companies that have already been mentioned in your hearings today—Google, Microsoft, Facebook et al—is not necessarily in the technology, but in those who design the technology. Those people are hard to come by at the level that we require them at. They are also very hard to keep, because once they reach that level of acumen and they have Google, Facebook or Amazon on their CV, they can pretty much choose where they go and, often, how much they ask for in the process.
I think the biggest issue that Government face—not only in Ofcom, but in regards to future technology policy—is attracting and keeping those individuals who can provide the services and understanding, as well as develop the tools, that a future Government will need. If you can demonstrate a way to capture that talent and retain it, I think that would go a long way to soothing any potential questions about whether Ofcom will be capable of meeting the requirements of this and other Bills. This goes across all Departments, I feel.
Yes. I believe that this is potentially one thing where, as much as possible, greater co-operation between these Departments should be encouraged, to the extent that it is possible to do, given how the security dynamics of the different Departments work. Quite frankly, Government do not have enough of this kind of personnel and expertise. What you do have, you must ensure is used as effectively as possible. That means that you cannot let them languish in one silo or Department, when their expertise would be highly useful in another where suddenly they find themselves dealing with types of issues that are far beyond their normal remit.
Q Can I just come back on that? I agree with you that GCHQ has difficulty in retaining staff, as you quite rightly say, Dr Drew, when they get to a certain senior level. I think it is about more than that; it is about culture, as well. Ofcom has a wide number of responsibilities in this sector. Would it not be better, for the security element of this, to give that to the National Cyber Security Centre and GCHQ, rather than leaving it to an organisation, which—we have been told—even if it got the culture right, would take a long time to get there?
I think the Minister is relying on good co-operation between the two organisations, but it is clear from the 2013 ISC report on critical national infrastructure and Huawei that civil servants with a bent for looking at economic development did not have their eye on the ball in terms of security, and they did not even tell Ministers about security concerns that were clear then.
That is a fantastic question. The best way for me to phrase this is that I believe there is an imbalance that is natural to those who have a particular role within Government or the civil service. Those with responsibility for economic advancement will have a different take on the same issue from those of their colleagues with a security bent to their work.
I find this is a complex topic that needs to be balanced across those different interests. That is why I would generally lean towards co-operation between these groups as opposed to others. I also suspect—although, due to the nature of their work, I cannot be certain—that GCHQ and the NCSC have significant work already, which is only likely to increase. Although they might have the technical capability that Ofcom lacks, I am not sure they have the capacity to take on the sheer volume of work that this is likely to create. I would argue that, actually, more resourcing in general is required for whatever co-operative body is created to carry out the actions of this Bill and other Bills attached to it. That is needed.
Q I do not disagree with you about the balancing act between security and economic development, which will be important. This Bill leaves it with the Secretary of State for Digital, Culture, Media and Sport, who is not a natural fit for security, and there will clearly be tension between the two. Do you therefore think that these key decisions—not the actual work on them—should not be vested with the Secretary of State, but should perhaps have the sign-off of the Cabinet and the NSC?
I would agree with you. I believe that the decision needs to be taken on a security level first, because insecurity and the risk of a poorly made decision would have negative impacts on the economic outputs as well. I am not certain that where it is currently vested in this Bill is the best place for it, but I also believe that transparency is the other balancing component here. I have had some conversations with one of the companies mentioned quite predominantly in this literature, and their biggest press is that they feel that decisions are being made with a lack of transparency and a lack of technical justification, and that it is all politics. The best way to solve that is through transparency.
Q Dr Drew, as a graduate of King’s College, it is great to have you with us. The Bill as currently written provides the Government with unprecedented new security powers. Might this in some way perhaps disincentivise new entries to the market?
It potentially could, depending on the type of company that you are attempting to incentivise. It would have a different effect on those potentially two or more categories. If you take one category to be pre-existing companies that previously have not operated within the UK, such as NEC from Japan, they are likely not to be put off to such a great extent—they have already had to deal with some level of security commitment within their normal markets. However, I suggest that it could be more of a barrier to entry for the smaller companies that we are attempting to encourage to get into this market. Emerging companies would find a culture of components and cultural risk to how they view their work, as well as the technical and financial cost of meeting the new standards. Yes, I believe there would be an impact, but it would be different between types of vendors that you are seeking to encourage.
Q We have talked a lot about 5G—indeed, we have been accused of fetishising 5G. The Government are currently consulting on security issues and fixed networks. Do you see major architectural differences or market differences in the security threats for fixed networks? Are they similar, and should a similar approach be taken to the removal of high-risk vendors? With regards to Ofcom, its principal duties are set out in the Communications Act 2003—I know this very well, having worked for it. They are
“to further the interests of citizens in relation to communications matters; and to further the interests of consumers in relevant markets, where appropriate by promoting competition.”
Do you think there is an argument to add a further security duty, if that is going to take such a large portion of Ofcom’s capacity?
As to the second question first, I believe that security should be a component here. In fact, I believe it fits with what Ofcom is likely to be responsible for, and with the Online Harms White Paper as well. Security is fundamentally and inexorably linked with technology, culture and communications in the modern sense, so I believe that it would be important for that to be included as a key provision for DCMS.
With regard to the differences between fixed networks and 5G and the implications of this Bill, in the efficacy of its methodology towards the other, there are technical differences in how 5G operates right now and how we perceive the next generation of telecommunications to operate, but those differences will change over time, I believe. They will become less distinct. It is likely that fixed networks will move towards the concept of computing on the edge, and this is indeed already happening in some senses.
As for the actual efforts to control security risk, I do not see any major differences between telecommunications suppliers and fixed network suppliers. There is the same potential risk. You mentioned the SolarWinds hack earlier. That was a fixed network supplier in a way—it was not telecommunications—but there was the same risk involved and the same means of access, through a diversified chain with limited oversight at Government level, because it is a private sector actor with limited responsibilities. That is as true in that case as it would be for a fixed network with Cisco, and as it would be with a telecoms provider by ZTE, Huawei, Ericsson or any other. I do not think there is a significant technical difference to mean that the goals and direction of this Bill could not, and perhaps should not, be applied to others.
Q I have just one quick follow-up question. Thank you very much for your evidence. The Bill separates out the diversification strategy, and in fact it does not refer to the diversification strategy. Is it possible for the UK to have secure networks without a diverse supply chain for them?
That is a great question that comes with a very simple answer: no. The worst-case scenario for creating a risk in this sense is when monopoly meets supply chain—in secure supply chain in this case. Arguably, the reason why SolarWinds was so successful is that it provided the same service to so many different organisations and departments in the United States. Therefore, if you access one—SolarWinds—you access almost all. That is the risk.
The same is true in this sense if you transfer these issues to telecommunications or fixed networks. If you have only a single supplier, all it takes is that supplier to be compromised for your whole network to be compromised. As I said earlier, with any form of cyber-attack, the access is always the hardest part if you are the attacker, so if you have an easy target or if the target is just one point, they can throw all their resources at it and it is easier. I would argue that diversification is one of the most basic and probably most effective means of limiting the damage that could be caused in any attack against one of those vectors.
Dr Drew, there are no further questions from Members, so I thank you very much indeed for your time this morning and for sharing your expertise with the Committee.