Examination of Witnesses

Telecommunications (Security) Bill – in a Public Bill Committee at 10:09 am on 19 January 2021.

Alert me about debates like this

Simon Saunders and Lindsey Fussell gave evidence.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering 10:38, 19 January 2021

We now move to the next panel, which consists of Simon Saunders, director of emerging technology at Ofcom, and Lindsey Fussell—I hope I pronounced that correctly—group director for networks and communications, also from Ofcom. In the previous two sessions we have been talking about you quite a lot, and now is your chance to respond. Could I ask you to introduce yourself and give a brief opening statement, starting with Lindsey?

Lindsey Fussell:

Thank you, Chair; that was the correct pronunciation of my name. I am Lindsey Fussell, I am the group director for networks and communication at Ofcom. My group oversees all of our telecoms regulation, including the new responsibilities for network security that we will be talking about today. I am sure we will have a lot of conversation about the nature of our responsibilities, but I think by way of opening I would say that we very much welcome the Bill. The National Cyber Security Centre found in carrying out its telecoms supply chain review that our existing responsibilities and the existing approach that operators took to telecoms security—and our powers as a regulator alongside that—really needed substantial strengthening, so it is great to see that happening in the Bill, giving operators the certainty of what they need to do to promote telecoms security.

Simon Saunders:

Good morning, I am Simon Saunders, Ofcom’s director of emerging and online technology. I have worked on mobile network technology since 1991, before there was 1G, all the way through to current work on today’s and future implementations of 5G. Last week we published a round-up of technologies that could form the basis of future 6G networks. I have worked for mobile equipment vendors, operators, large end users and software companies. I founded and chaired an industry association, the Small Cell Forum, where I led a previous initiative on interoperability and open standards—in that case, in 3G—and I have invented a number of mobile technologies.

Today, I lead Ofcom’s technical work on diversification, including Open RAN. I provide technical advice on behalf of Ofcom to the telecoms diversification taskforce. I hope I can help the Committee with issues on diversification, Open RAN and Ofcom’s potential role in that area.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering

Thank you both very much. James Wild will start the questions, followed by Sara Britcliffe.

Photo of James Wild James Wild Conservative, North West Norfolk

Clearly, these are new substantial duties on network providers and on you as the regulator to enforce them. What assessment have you made of the resourcing and additional expertise that Ofcom will require to take on these new dutiesQ ?

Lindsey Fussell:

I think I will lead on that one, if that is all right. Thank you for the question. I will start by clarifying Ofcom’s role in the two parts of the Bill—I am sure we will talk about both. We have a significant role in relation to the telecoms security requirements, where we will have the obligation of monitoring and enforcing operators’ compliance against them. In relation to high-risk vendors, our involvement is rather more limited. The Secretary of State will have the power to direct us to collect factual information from the operators, but the question of monitoring, compliance and enforcement then rests with the Secretary of State. I thought it might be helpful to clarify the two different roles before we got going.

In relation to telecoms security, as you say, these are important new responsibilities. We have existing responsibilities for network security—and have had since 2011, albeit in a more limited way—so we have a network security team in place. We are also very familiar with monitoring clients and enforcement, and with working with precisely the same set of operators that we will hear about on the remit of other responsibilities, so we have a base to start from. That absolutely does not underplay the difficulty, importance and challenge of building up our resources to deal with this. We anticipate that the cost will be around £6 million to £7 million in steady state, and we will build up a team of probably 40 to 50 new people and new resources to cope with those responsibilities.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering

Simon, do you have anything to add?

Simon Saunders:

On our capabilities relevant to the expectations end of things, we are building on our existing capability, working with mobile operators and network providers on the equipment and the software. That is spread across Ofcom, in the leading networks group that Lindsey leads, the spectrum group, and indeed in our technology group, which I look after. In the relevant teams, we have been adding capabilities in with recent experience, with the mobile operators and mobile networks applying the formal diversification.

Photo of James Wild James Wild Conservative, North West Norfolk

Q You refer to needing 40 to 50 new additional staff. Have you begun recruiting those people yet and how confident are you that you will be able to get them? The security world is a competitive space and these are highly sought skills. How confident are you that you will be able to get those people in place in order to monitor and enforce the powers in the Bill?

Lindsey Fussell:

We have indeed already started to build up our team, and have had some success in recruiting people with experience of network security—from the operators, for example. We do not underplay the difficulty of doing that; I completely agree that those are sought-after resources. Frankly, it is unlikely that we will be able to compete on salary. The type of people we attract are those who are interested in looking at these questions from that broader perspective—looking across the industry—rather than in their previous roles in companies.

We have found that we can have some success in that, but we will also have to be creative in the way that we approach this. We are thinking about how we can build up a pipeline, for example. The NCSC has accredited a number of university courses, and we are looking at how we, alongside the NCSC, can pick graduates up from those courses, for example, to build up a future pipeline of staff, as well as bringing in people with more direct experience.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering

Simon, do you have anything to add?

Simon Saunders:

No, not in that area. It might be relevant to mention, just to make the point that it can be done, that I actually joined Ofcom from a role at Google.

Photo of Sara Britcliffe Sara Britcliffe Conservative, Hyndburn

Q You never know, you might become shadow Minister when you move on from the job at Ofcom, as we have seen. My question is quite simple: do you believe that the Secretary of State is the right person to exercise the powers?

Lindsey Fussell:

Are you referring there to the high-risk vendor powers?

Lindsey Fussell:

Yes, I think so. It is important to say that, across the scope of the whole Bill, it is not Ofcom’s role to make national security judgments. That is really important. Clearly, that is the Government’s and the Secretary of State’s role, taking advice from the NCSC and the intelligence agencies. In relation to telecoms security, that has enabled us to take the very detailed work and the threat assessment that the NCSC has done, which have been translated into a set of requirements in the code of practice, and to apply those and work with operators to monitor and enforce that compliance without having to make those national security judgments ourselves. On high-risk vendors, I think it inevitable that there will be more national security judgments to be made, so it is quite proper that that role sits with Government rather than the regulator.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Q Your responsibilities are quite broad, and this is an expansion for you. You have already talked about recruiting staff for this task. How many of those staff will have to have STRAP clearance?

Lindsey Fussell:

As I say, we have existing networks security responsibilities, so the issue of security clearance is one that we already need to deal with. I think the point that I have just made is important: we will not be making national security judgments, and that means that we will need access to less national security information than you might imagine. I do not think that we will be routinely handling national security information, but where the NSCS feels that it is required, there are clearly provisions in place for that.

Having said that, as now and in future, there are occasions when we have to handle sensitive information, and we do have the necessary security clearances in place at different levels for our staff to do that. As we recruit, we will obviously ensure that people have those necessary security clearances so that we can handle any sensitive information that we are given.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Q I am sorry, but I do not accept what you have just said. If you are going to be the guardian of security as a member of the ISC who has STRAP clearance, you are talking about highly sensitive information, which, quite rightly, is guarded by the agencies for national security reasons. You will have to have a number of people who are STRAP-cleared. All I am asking is what that number is.

Lindsey Fussell:

We would clearly take guidance from the NSCS and others on whether they think STRAP clearance is required, because of course, it is for the agencies to have STRAP clearance and to classify information. I have had STRAP clearance in the past, in my previous roles in Government, for example, so I am well aware of the different security classifications that are required and the nature of the information that is to be handled. At the moment, the NCSC has not signalled to us that it thinks we require staff with STRAP clearance, but clearly, if it feels that that is needed for the type of information that we may need to handle, we would make sure that happened.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Q Personally, I do not see how you can do the job without having STRAP clearance making these decisions. As you know, you may have had STRAP clearance in the past, but it is not historic; you need to have it currently.

Lindsey Fussell:

Of course.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Q You said in response to Sara’s question about whether the Secretary of State is the right person to make these decisions that you are not necessarily making the decisions. Clearly, however, there will be a pull between your role in promoting the sector in terms of economic development, and national security. You will have an opinion on that. How will you balance that judgment?

Lindsey Fussell:

Our role in relation to the requirements is pretty clear. The Government, through the legislation that is being considered by this Committee, are setting out a series of duties on providers and then giving us a code of practice, which has been developed through the work that the NCSC did. That sets out in some detail what operators, in particular the larger operators, will be required to do to meet those requirements. What we will be doing is monitoring, discussing with and talking to those operators as they go on that journey, and ultimately—of course—enforcing compliance, if we think that is needed. Of course, our trade-off is always to be proportionate in the application of our powers, but it is quite clear that the expectation is that we will enable, encourage and require operators to comply with the requirements.

Stepping back from that, there is clearly a balance of judgment that the Government have taken in bringing forward these measures. We all want, for example, to see people across the UK getting the best connectivity possible as fast as possible. This Bill may well have an implication for some of those plans, albeit that operators are well aware of what is coming. But of course the balance of judgment is the importance that security plays for consumers, in making sure that they have access to secure networks, and bearing in mind the significant costs that can be incurred by companies and ultimately by consumers if there are cyber-attacks.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Q That will be a very difficult judgment to balance. I suggest that you read the 2013 ISC report, which is very informative on this issue and about where the balance went the other way, in terms of civil servants arguing then that economic development was better than actual security. So I think it will be a very difficult judgment to make.

Can I ask you about an issue regarding oversight? Frankly, I am not a great fan of quangos, because I think their accountability is limited and they allow Ministers to offload difficult responsibilities on to people who have very little parliamentary oversight. Regarding the oversight of your organisation from Parliament’s point of view, some of these decisions will clearly be highly classified. The Digital, Culture, Media and Sport Committee will not be able to look at them, because of the security classification. So how will we ensure that you and Ministers will consider the importance of security around these issues?

Lindsey Fussell:

That is a really important question. Clearly, we are accountable to Parliament—

Lindsey Fussell:

And we are ready to come and give evidence about our work to any Select Committee that would like to hear that evidence.

As I say, we ourselves will not make national security judgments, but I hear your point that the relationship and the role that we play in monitoring telecoms security, and enforcing those obligations on operators, is a very important one. Under the legislation, we are required to provide an annual report to the Secretary of State about what we find on the state of play regarding how operators are moving towards compliance, and indeed on any security compromises or incidents that we have uncovered and the action that has been taken in relation to those, and on any new threats or other issues that we have identified.

It will then be for the Secretary of State to consider whether they publish that report, and how much of it they publish. We will publish a summary of our work in our annual Connected Nations reports; we do that now. And as I have said, of course we will be ready to talk to any Select Committee that wishes to hear evidence of our role and how it is playing out.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Q But the Secretary of State is not Parliament. The Secretary of State can hide behind things, or choose what he or she wants to put in the public domain. Do you think that the Bill needs to establish some role for Parliament at least to have an annual report, whether it is to the DCMS Committee or, if it has classified information in it, to the ISC?

Lindsey Fussell:

I think that is really a question for Government rather than the regulator. We will be ready to provide whatever accountability the legislation requires of us, as well as providing direct accountability by talking to Parliament and Select Committees.

Photo of Chris Matheson Chris Matheson Shadow Minister (Digital, Culture, Media and Sport)

Q To follow up on one of Mr Jones’s questions, you say that you will not be taking decisions on national security matters. Who decides within Ofcom whether it is a national security matter or not?

Lindsey Fussell:

I think the structural framework helps us a great deal here, as I have already indicated. Clearly, the NCSC carried out a really detailed supply chain review, which identified the threats that could occur in different elements of the network, and it has now turned that into telecoms security requirements and, ultimately, into the code of practice. We will be giving—indeed, the legislation requires us to—considerable weight to that code of practice and the judgments that the NCSC has reached on what is required to combat threats. That will then enable us to judge and monitor whether operators are doing what is said in the code of practice.

If, for example, an operator were to say to us that it was not going to meet something set out in the code of practice because it considered that an alternative way would meet that threat, we will have arrangements in place with the NCSC to enable us to seek its advice and guidance at that point on whether that satisfies the requirements of national security.

Photo of Chris Matheson Chris Matheson Shadow Minister (Digital, Culture, Media and Sport)

Q Who takes the decision, then, to refer it to the NCSC? Where in Ofcom does that decision sit?

Lindsey Fussell:

Clearly, we would start that conversation within the team and escalate it if necessary, but I do not think that it will actually be an issue in practice. We already have very good working relationships in place with the NCSC, and regular collaboration and discussion. The legislation enables us to share information with the NCSC to enable either it or us to perform its duties. I do not think that there will be any issue in practice, or any surprise in terms of our regular interactions with it.

Photo of Chris Matheson Chris Matheson Shadow Minister (Digital, Culture, Media and Sport)

Q Can I ask something slightly different now? Do you have much internal movement in Ofcom? Do you have an internal jobs board? Do people move around and develop their careers there?

Lindsey Fussell:

Yes, we do. Of course, like any organisation, you would expect that. Ofcom has a range of people with different skills in it, as you would expect. It is actually far broader than, for example, some of the Government Departments that I have worked in before. We have people who are specialist technologists. Simon has talked about his experience. We have economists, lawyers, colleagues who specialise in enforcement, colleagues who specialise in policy, and many other professions. Although people absolutely do move and develop their career, and certainly in relation to these kinds of new responsibilities we will look to upskill existing colleagues where that is possible and where it makes sense to do so, we also employ an awful lot of specialists who will tend to stay more in that specialism and apply that to our work.

Photo of Chris Matheson Chris Matheson Shadow Minister (Digital, Culture, Media and Sport)

Q That is the point I am getting at. If I think about recent changes at Ofcom, you have had responsibilities for monitoring the BBC, for example. Online harms is coming to Ofcom. It seems that quite a lot is being asked of you, and demanded of you. How can we be sure that you have the capacity to manage the workload, and the technical capacity to manage these very challenging issues?

Lindsey Fussell:

I am certainly not going to deny that there is quite a lot going on, and the organisation is expanding, as you say, albeit with different deadlines and different timescales for the new responsibilities. I have already talked about our recruitment plans to ensure that we have the specialist skills in place to focus particularly on network security, as well as the enforcement and legal support that we will need to deliver this regime, which is a very important part of it.

It is also worth reflecting, though, that there are some really interesting overlaps between different areas of our new responsibilities. If I think of the responsibilities that we have just taken on in relation to video sharing platforms, we are having to understand, as part of those responsibilities, network infrastructure, data analytics and so on. All that actually calls on similar skills and experience that we will need for the regime that we are talking about today, so there is some crossover that we can draw on. Simon, did you want to add anything on that?

Simon Saunders:

Absolutely. We have different teams that we are building for the different responsibilities, but there are definitely overlaps between them, and in particular we have built a team of technologists particularly to inform our work on online issues, including, but not limited to, online harm. That comes with a need for us to have technologists who have worked in, and understand, a range of cloud-based computing platforms and the online social media platforms in general. The underlying [Inaudible.] technologies are the ones that increasingly telecoms networks are being built with as well—the so-called cloudification, or virtualisation. So, helpfully, when we recruit specialists in the one area there is the opportunity for them to contribute to the other areas of our responsibilities and to ensure that our approach to these things is [Inaudible.] I think we actually get benefits from having multiple of those duties, rather than separating them.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

Q Thank you very much for sharing your expertise with us. As a previous employee of Ofcom, for six years, I am, not surprisingly, perhaps, a huge admirer of your work, and, to reflect what was implied by the hon. Member for Hyndburn, I think that Parliament will always benefit from increased telecoms expertise here.

I want, with permission, to ask a question about three areas: security, assets and costs, and duties. I share some of the scepticism of my right hon. Friend the Member for North Durham about the statement that Ofcom will not be making decisions on national security. You will clearly have duties with regard to national security and one of the key duties is to ensure compliance of our entire network—all our networks—with national security requirements. So how are you going to ensure that compliance without taking decisions on security? You seem to suggest that it is just going to be a set of protocols, if you like, from the National Cyber Security Centre, and you are just going to look at ticking the boxes to see that they are met; but in practice that cannot be the case. It is far more complex than that, particularly with regard to emerging technologies.

Another issue is that the Bill puts all the requirement to ensure compliance on Ofcom, in terms of Ofcom seeking information, Ofcom requiring information, Ofcom setting out notices to inspect, and so on. For example, let us say that one of our network operators—I shall not name one—decides to buy all its cloud or virtualisation equipment from a Chinese manufacturer that is not designated a high-risk manufacturer. Would Ofcom be informed of that change in its network? How would that pass to the National Cyber Security Centre—or would it not? Without that kind of duty in place, is there a risk of what you do becoming a meaningless tick-box exercise and, particularly, of its not addressing future and emerging security threats? That is my first question.

Lindsey Fussell:

The point that you raise about this needing not to be a tick-box exercise is absolutely vital. I think actually what we are talking about in this legislation is changing culture—crucially among operators but also in terms of giving the regulator new responsibilities and changing the culture that we have, and the responsibilities and the range of the role we take on in relation to this. So this is absolutely—the legislation in fact specifically says so—about future technology as well as about existing networks. It is critical, I think, that we and the operators go on this journey together in terms of promoting that security by design, in everything that is done.

Picking up your question specifically in relation to assets, I think it is more or less impossible to meet the requirements set out in the covid practice for the operators unless they have a detailed asset register of everything that is in their system. We would expect to see evidence of that, and that it is regularly checked, audited and so on. That would be an expectation for us.

On the relationship with the NCSC, as I say, we have specific provisions in place that enable us to share information with the NCSC. As we collect that information with operators, we will discuss with them in advance what type of information they want to see on a routine basis, sharing that and clearly taking guidance from them as necessary if they think there are national security issues that we need to be aware of.

I mentioned earlier about having security clearance in place. To expand on that answer, we have a small number of STRAP-cleared staff in Ofcom, and we will expand that if need be. Those relationships with the NCSC are already in place and will be productive. I should say also that if the NCSC identifies new threats, or if we identify new threats, I think the legislation is flexible and it is right to be so, in that the code of practice can be updated to reflect that.

Simon Saunders:

Could I also add that, in respect of our role in emerging technologies, we are not only awaiting others to tell us which emerging technologies to pay attention to? We have our own independent programme of monitoring and horizon scanning for technologies that could appear and have an impact on the networks and the sectors that we regulate. Clearly, the implications are not only about security. They cover a wider range of issues of performance and costs and flexibility and so on. We actively monitor across these sectors for those technologies.

I mentioned earlier that we recently published something about technologies heading for the future generations of mobile. That also covers fixed networks, the advent of quantum technologies and distributed software technologies in networks, and so on. That programme yields an advance look for colleagues about threats and opportunities that are coming towards us into the markets, so that we can build the skills and consider the implications well in advance of their actually impacting on those networks.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

Q How can you make that assessment without taking decisions about national security? If you are relying, as you seem to be saying, on the National Cyber Security Centre to make those decisions for you, how are you, or they, accountable to Parliament for that? There is a basic issue here, in that you feel that you are not responsible for national security. However, we do not see how that responsibility for national security is made accountable if you do not have any responsibility for it but you have responsibility for compliance. You have not answered my question as to how a change in the networks would be made known to you or the National Cyber Security Centre when there is no requirement for that at the moment, as far as I can see.

Lindsey Fussell:

We would, as I say, expect providers to keep detailed records of the components that they use in their networks. I would expect that that is the type of information that, if a significant new vendor is brought into the market, the NCSC might well be interested in. It is worth saying that, while we do not have any direct regulatory powers over the vendors themselves, under these arrangements operators are required to assess the maturity of the vendors and suppliers they use, and the NCSC has issued guidance to them to enable them to assess that maturity. If the question is: if we see a brand new supplier starting to appear, is that the kind of information that we would expect operators to provide to us and for us then to share it with the NCSC? The answer to that question would be yes.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

Q With regard to asset registry and expectations of having that, having spent a significant amount of time looking in the back offices of operators as to what they have, I know that they are certainly not up to date. We have heard from other witnesses that they do not always have up-to-date and comprehensive asset registers. To rely on an expectation seems a low bar.

Can I come on to duties? I have the Communications Act here, which has got a lot thicker since I left Ofcom. The two duties are the “interests of citizens” and the “interests of consumers” with regard to competition, but there is not a duty on security. Does that not suggest that if there is a conflict between competition or communication matters, that will be prioritised over security if there is not an explicit duty to maintain the security of our networks?

Lindsey Fussell:

I think this legislation quite clearly does place explicit duties on us to monitor and enforce the compliance of operators on network security requirements. I do not see that there is any risk that we would downplay the importance of that duty in comparison with others. Clearly, it is for the Government to put forward any changes to legislation to change the balance of our duties or to add new ones, but I think the Government—and, indeed, Parliament—are asking us very clearly to take on those responsibilities through this new legislation.

To pick up on a point I made earlier, in terms of the interests of citizens and consumers, it is important to say that of course it is in the interest of citizens and consumers to have excellent networks functioning that provide them with great connectivity. If we have learned anything from this most recent period, it is how important connectivity is to everybody’s daily life. Of course, that comes across in pricing and support for more vulnerable consumers, and all those other things that we have responsibility for in telecoms.

Actually, promoting secure networks is absolutely in the interests of consumers and citizens as well, not just because of the really damaging consequences of cyber-attacks, but because, ultimately, if we are able to have better networks, that should enable greater economic innovation through 5G use cases and things like that, for example. I think in promoting the interests of citizens and consumers, telecoms security is clearly part of that.

Photo of James Sunderland James Sunderland Conservative, Bracknell

Q The Bill provides powers to fine vendors up to 10% of their annual turnover or up to £100,000 per day for failing to meet standards. Could I ask for your view, please, on how that compares internationally, and whether you feel that that is appropriate?

Lindsey Fussell:

It is probably worth saying that, from an international perspective, although there are some other countries—notably Germany and Australia—that have started to explore strengthening their telecoms security framework, I am not aware of another country that is quite as forward leaning in terms of the framework that is being put forward in this legislation.

In terms of the fines, this is an important point—those fines match the level that we are currently able to levy in relation to our other telecoms requirements, such as breaches of our general conditions. Previously, under our past responsibilities, our fines were limited to £2 million, so really quite a small amount compared with the wealth of the largest operators. I think it is appropriate that the telecoms security fines match what we are able to do elsewhere.

The final point I would make is that fining is an incredibly useful power to have because it acts as a significant deterrent and a strong incentive for companies to comply. It is actually not the first lever that we reach for, certainly not maximum fines; it is there and we are ready to use it if we need to, but our starting point would be to work with operators on this journey as they move towards compliance as they respond to new and emerging threats.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

Q Thank you for all the work you have done on this matter so far. I wonder if you could just say a little bit more about the responsibilities that Ofcom has had, as you put it, since 2011 on telecoms security. I think that perhaps the extent of that is not as well understood as it could be.

Lindsey Fussell:

Yes, of course, I am very happy to do that. As you say, we have responsibility now to monitor and enforce compliance on security. The difference, which is why I think this legislation is so welcome, is that at present we do not have any obligations set out as to how operators need to meet those security requirements. It has been basically up to them to decide what is necessary. While many companies have invested very heavily in their security—I would not want to suggest otherwise—clearly there is a journey to go on and improvements that need to be made. It is very welcome that we now have this much clearer framework, so that operators know what they need to do and we can enforce against it.

The other point that is worth bringing out is that, at present, operators are under a requirement to report incidents to us, but the nature of that reporting tends to be around incidents that cause outages. We do get a lot of those—caused not just by cyber-security but by wind, weather and other issues. Quite a lot of cyber-security incidents are, frankly, precisely designed not to cause outages, because it is in the interests of the malicious actor to allow the network to keep operating while they do whatever they are up to. The new requirements on operators are to tell us not just if there is an outage but if there is an incident where they believe their system may have been compromised. They are wider ranging and welcome powers.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

Q I think you are also aware that this legislation is backed up by a number of statutory instruments to give further powers.

Lindsey Fussell:

Absolutely.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

Q Would you like to give an assessment of whether you think that is sufficient to address the concerns around, for instance, asset registers, which we have talked about before?

Lindsey Fussell:

Yes, so the way the legislation works, as you say, is that there is a primary duty on operators to promote security of their networks, and on us to enforce and monitor compliance against that. My understanding is that the secondary legislation will set out around 40 to 50 sub-duties on operators, which they will all need to meet—that is all operators and providers of electronic communications services.

Underpinning that, each of those sub-duties will be reflected in the code of practice, setting out the details of what the operators need to do to meet each of those sub-duties. As I explained earlier in relation to the questions we discussed on national security, we are entitled, as the regulator, to place quite a lot of weight on the national security judgments that the NCSC and the Government have made in drawing up both those sub-duties in the code of practice, in responding to the threats identified.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering

Any other questions from Members?

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

Q A word on costs, perhaps. You said in your opening statement that you expected it to cost about £6 million to £7 million for Ofcom. How will those costs be funded or raised? In terms of costs on operators, clearly a requirement to do a complete asset register, for example, could be a very significant cost for an operator. What kind of costs do you see? Do you see limits being placed on the costs that operators could incur in complying with Ofcom demands or requests?

Lindsey Fussell:

In relation to Ofcom’s costs first, Ofcom is funded in two ways: first, by a levy on the sectors and companies that it regulates and, secondly, through the collection of fees, primarily from our spectrum duties. Our overall funding is obviously agreed by our board but also subject to a cap agreed with Government each year. We are currently in discussion with the Treasury about the exact technicalities and which of those routes will be used to fund this, but it will be in line with Ofcom’s normal funding arrangements.

In relation to company costs, clearly the Government have looked into that, in discussion with operators in relation to the impact assessment for the legislation. I know that there is a plan to do further work on that in relation to telecom security requirements, once companies have had a chance to see the SI and the code of practice.

The point here, which is built into the legislation, is the concept of proportionality. Although we would expect the largest operators—we would work with them intensively throughout the process—to take part in, for example, penetration testing, it is likely we will be more proportionate with the smaller operators and, for example, respond on an incident-based approach, rather than expect them to carry out the same level of detailed work and interaction with Ofcom. In all of that, we would want to be proportionate in the costs imposed on operators, as we are in all our responsibilities, bearing in mind that these are really important responsibilities, as we have been discussing.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

Q Could you therefore confirm that the costs will be in line with the size of the operator, so small start-ups will not be expected to pay the same as Vodafone, for example? We have not talked at all about the diversification strategy, yet there is agreement that we cannot have secure networks without effective diversification of the supply chain. Are you in a position to monitor the diversification of operator supply chains, and is that something you would expect to be doing?

Lindsey Fussell:

If I may, I will bring Simon in on the question of diversification. In relation to costs, the bulk of Ofcom’s own costs are paid by larger operators rather than smaller ones, and we have talked about proportionality in the way we operate that. Again, although I understand the tiering of the system will be set out in the code of practice, that will also be based on size and scale. Simon, may I turn to you on diversification?

Simon Saunders:

The diversification strategy that the Government have published has set out a desire to attract new suppliers to the UK and further expand suppliers through open solutions, among other means, and to ensure that that is supported by an appropriate regulatory framework. We are ready to do what comes from that, in terms of any objectives the Government set on the level of diversification and to support measures to enable that. There are clearly synergies between the security aspects and the diversification aspects: in determining how diverse the supply base is, having a fully populated and up-to-date asset register from the operators for the security needs will also support the requirement to assess the diversity, if that is what we are required to do.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

Q But currently your duties are all to do with the stick, in terms of the enforcement of security requirements, and nothing to do with diversification or the incentives for that?

Simon Saunders:

Our existing duties around ensuring the health of the communications market for consumers and citizens point in the same direction in many ways, even if diversity is not spelled out explicitly. We see that a functioning, competitive market for network equipment supports the operators’ ability to provide cost-effective networks that perform well, and that supports the needs of citizens to get great services wherever they are and for those services to be reliable and so on. I do not view this as an entirely separate area from our existing duties; whether specific duties around this are needed is part of the work we are doing to support the taskforce and the plans that come from that.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering

This will have to be a very quick answer, because we have to stop at 11.25 am.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Q You have said that you will take advice from the National Cyber Security Centre. What happens if you disagree with its advice? Who takes the final decision on what is national security?

Lindsey Fussell:

I think that the National Cyber Security Centre takes the decision on national security. Of course, the Government ultimately have the power for that but on the advice of the NCSC. Decisions on enforcement and compliance are for Ofcom, following the code of practice that the NCSC has created for the Government.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Q Yes, but what happens if you disagree with it?

Lindsey Fussell:

Sorry, I had some feedback there; I was having trouble hearing you. Is the question what would happen if we disagreed with the advice given to us by the NCSC on national security?

Lindsey Fussell:

I think in that case we would take the guidance of the NCSC. In practice, I really don’t think that is likely to occur. Ultimately, the final decision on whether an operator has complied and whether we enforce is with us. The NCSC would not be able to overrule that decision, but we would be taking that decision in the light of the information we would have been given from NCSC about what is required to meet national security.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Q May I suggest that you read the Intelligence and Security Committee’s report from 2013 on critical national infrastructure, because exactly that happened when a Department overruled the Security Service? I think you will find yourselves in a similarly sad position with this legislation.

Lindsey Fussell:

I have read that report, thank you.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering

Thank you very much indeed to our two witnesses. We are very grateful to both of you for your time this morning and for the expertise you have shared with us.

The Chair adjourned the Committee without Question put (Standing Order No. 88).

Adjourned till this day at Two o’clock.