Examination of Witnesses

Telecommunications (Security) Bill – in a Public Bill Committee at 2:00 pm on 19 January 2021.

Alert me about debates like this

Heba Bevan OBE, Dr Nick Johnson and Dr Andy G. Sellars gave evidence.

Photo of Steve McCabe Steve McCabe Labour, Birmingham, Selly Oak 2:01, 19 January 2021

Good afternoon. We come to our fourth panel of witnesses today, consisting of Dr Andy G. Sellars, Dr Nick Johnson and Heba Bevan OBE. We have until 2.45 pm for this session. I will ask the witnesses to introduce themselves for the record, starting with Dr Sellars.

Dr Sellars:

Good afternoon, Committee. I am Dr Andy Sellars and I am the strategic development director with the Compound Semiconductor Applications Catapult. We are a non-profit research and technology organisation that helps UK companies to exploit new technologies, predominantly for electric vehicles, quantum technologies and advanced telecom products. I look forward to answering and helping the Committee with their inquiry.

Heba Bevan:

Good afternoon, and thank you very much for having me. My name is Heba Bevan, and I am the CEO and founder of Utterberry Ltd. We are a company that deals with artificial intelligence and very heavily with wireless sensor networks or internet of things solutions. We provide our solutions to major infrastructure such as Crossrail, London Underground, Network Rail and Tideway, and we are also involved in healthcare. We design systems that are part of the IoT system, dealing with communications. My background is that I am an electronics and computer engineer and I used to design central processing units for Arm Ltd.

Dr Johnson:

Good afternoon. My name is Nick Johnson, and until a month ago I was chief technical officer of ip.access, a UK-based small cell vendor that was bought in September last year by Mavenir—I think you guys interviewed Mavenir on Thursday—but I left at the beginning of this month, so I am now independent. I just want to stress that, on the connection with Mavenir, I am truly independent; I am not speaking for Mavenir in any sense at the moment.

I think ip.access came up a couple of times in the conversations with Mavenir last week, but we are a small cell radio access network vendor, a RAN specialist for cellular technology, global system for mobile communications, 3G and long-term evolution, and to some extent 5G. We are deployed in many networks. Historically, over the 20-year life of the company, we have been deployed in more than 100 networks worldwide, and are probably active in a little more than 50 of them. Those networks include T-Mobile in the US, AT&T in the US, Airtel in India, BT One Phone in the UK and others of that sort. Those are my credentials.

Photo of Dean Russell Dean Russell Chair, Speaker's Advisory Committee on Works of Art

As you know, there are very many benefits to a 5G network in terms of the speed, application development and the new era that it can bring, but would you mind focusing for a moment on the new security risks that 5G will also bring, pleaseQ137 ?

Dr Sellars:

You are quite right that 5G opens up a whole load of new benefits, predominantly high-speed access/lower latency. I think some of the security risks are around who is providing the infrastructure to support 5G. The concern that we have at the moment is that we need to have security of supply—both resilience of the supply chain for that infrastructure, and the cyber-security and encryption element of that infrastructure.

I think it is fair to say that 5G is likely to support a much broader selection of services. It is likely to have an impact on commercial, governmental and security transmission, just because of the widespread access and its very high-speed capability. It is also likely to support a very large number of internet of things devices—the sort of devices that UtterBerry develops. Some of those devices are another potential attack vector, if you like; they are another potential vulnerability. It is broadening the access into the network, which is potentially opening up new sorts of vulnerabilities that we need to take into consideration.

Dr Johnson:

Let me start by saying that some aspects of security in 5G networks are actually much more secure than in previous generations. Looking over the lifetime of cellular, you will know that you could just listen into first generation analogue networks with a very high frequency radio. GSM—the global system for mobile communications—was secure, partly at least. The network and the phones would authenticate to each other, but only asymmetrically, so the phone could be captured by a surreptitious network. That sort of attack is still used.

3G is much more secure, with symmetric authentication. It is harder for devices to be captured by the wrong network, but it is still possible. It is also possible for the IMSI—that is to say, the international mobile subscriber identity—of an individual or group to be found from that network. The same is true of 4G. In 5G, that is much more difficult. In terms of the security of the user of the network, 5G has tightened up a lot of the loopholes in previous generations in a way that is very hard to unpick. That creates tactical problems for some law enforcement agencies, which rely on some of the insecurities of earlier generations to do their job.

From the network side of things, there are some issues. There is a new network model in terms of the way nodes are connected in the core network. No longer are there physical interfaces as in previous generations of network, where there would be an S1 connection from the base station to the core. There are still connections, but they are much more in a publish-subscribe-type model. I think those, conceivably at least, bring a little more opportunity for attackers to probe nodes within the core network to find weaknesses and vulnerabilities. That is my take on 5G.

Heba Bevan:

We have three elements that the telecoms community could work on: the communication aspect, which is provided by companies such as BT; the hardware aspect, which is probably provided by companies such as Utterberry; and the software element within the system. So there are three types of vulnerability that could be introduced in the path of these three elements. The only problem with these paths is this: who is responsible if there is an attack? Usually, the communication aspect is the most important part to get protected.

Currently with 5G, there is a huge opportunity for opening up a huge economic impact from the sector in terms of healthcare, education and tech industries. These industries will need to move on and having 5G is definitely an important element, but how can we make sure it is secure in providing an effective communications network that provides an end-to-end solution and security? That is where I think we need to concentrate on the telecommunications and how can we make sure that what we are getting from that communication is totally secure, and that the encryption within it passes certain thresholds.

We can follow a certain standard within the hardware and software, but if the network is weak and has not provided us with good reliability, that is where things could be broken.

Photo of Chris Matheson Chris Matheson Shadow Minister (Digital, Culture, Media and Sport)

Thank you for those answers. I have just a couple of questions. First of all, following on from Mr Russell’s question, the impression I get—I am not an expert—is of a network that is a bit like a bowl of spaghetti. There are bits here, there and everywhere. and there are bits of different generations that are all added on. How easy would it be from your point of view, with your different areas of expertise, to audit and identify within any part of that chain in the network exactly where there is equipment—hardware, software, chips or whatever—that perhaps needs to be removed or checked?Q

Is there a shelf-life of the older versions? I am surprised that we are still talking about 2G—that it has not been removed. Is there a shelf-life for those elements and will they be removed from what I term “the network”, which is of course the whole global telecommunications infrastructure of the UK? Nick, do you want to start on this question?

Dr Johnson:

Yes. Let me start on that shelf-life question. GSM is a little bit like Radio Four longwave, right? I do not think that it is ever really going to die; there are just too many people who depend on it for one reason or another, whether that is for emergency calls, or just for coverage in remote locations or wherever. I think GSM will stay there forever, despite its security issues. They are well known and understood, and managed in due course.

The shelf-life of network components is an interesting aspect. Our experience of deploying into cellular networks is that there is always a security audit involved. When we take a piece of equipment into a new operator, there is always a hurdle to be overcome. They have their own audit procedures and those include a sort of paper audit, where they look at the particular software components that the software is built from, some of which we build ourselves, some of which is open source and some of which is commercial off-the-shelf software libraries and so on. They want to make sure that those are all up to date and properly patched, with all the latest security patches and so on. I think that will just continue on. To some extent, that is just the baseline hurdle.

I am not sure this is exactly what you are asking, but what has changed in my mind as we go forward is this idea that there can be software in the network that is not so much interested in security—as in, somebody hacking into it—but is more of a Trojan horse type of software, completely undetectable until some signal or some date comes by and it springs to life and does bad things. The example I have in mind is the SolarWinds example from December last year, where software had been inserted in the supply chain and had been sitting there quite happily for a while. That, to my mind, is very difficult to detect. Until it goes off, you do not know there is a bomb inside it, and that is an issue.

Coming back to the shelf-life question, keeping the software up to date is a major issue. It sounds easy, but practically speaking, I know it is an operational dialogue all the time within vendor businesses: they are striving for revenue from new customers, for new features to be added, and that is acting against updating the software libraries and so on to bring them up to date. There is a continual dialogue in every vendor company to ask, “Do we need these features to get more revenue, or do we need to update these libraries because we need to maintain secure software?” I guess to some extent, the whole reason for this Bill is to try and force that to the front of the conversation; to say, “Look, you can’t go on. That dialogue has to stop now. The software needs to be secure.” That has to be the baseline; it has to be a basic hygiene factor in selling software that it must be secure to a certain level, and the features need to come as value added. If you have some questions coming up on the code of practice, designated vendors and so on, we might talk about that, but those are my comments on shelf-life.

I think I missed your first question. I apologise.

Photo of Chris Matheson Chris Matheson Shadow Minister (Digital, Culture, Media and Sport)

Q No, that is grand. Heba or Andy, do you want to add anything to that?

Dr Sellars:

I can add a little bit. Your question about auditing systems is very pertinent to the experience we went through at the end of the 1990s with the Y2K bug. Lots of companies were required to do an audit: financial institutions, companies using software-driven automation, were required to do an audit of their systems in response to that threat. It would probably be a fairly similar exercise for telecoms. I am sure they must have a register of the equipment they use.

Nick has made all the points about software shelf-life, but from a hardware point of view, there is a capacity that the hardware can deliver. My understanding is that as they put in a new service such as 5G, it is quite often built on existing infrastructure such as 4G and 3G. Clearly, each piece of hardware has a bandwidth and can support a certain amount of data throughput, so in terms of shelf-life, I would argue that it is mostly capacity-related. I do not think there are any major concerns about things wearing out as such from a hardware perspective.

Heba Bevan:

If we are auditing basically hardware, it becomes very difficult. You can audit maybe 10 main base stations, 20 or even 100, but every single one of them is quite hard and intensive, and it might also be locking to a certain competition in who the supplier is. If you are getting it from one supplier, you are able to audit that supplier, but if you are getting it from multiple suppliers, how would you audit every single supplier? Would you go 10%, or 20%?

The other thing I would like to highlight is that back in early 2018, Intel had a problem with the security of one of its chips. I can provide written evidence later on to give you the full details on that. One of their chips, as well as AMD and Arm, had a problem, and they knew about it, but it has not been fixed. The problem is that if you put it out there into the community, it becomes a major threat, and a bigger threat.

In terms of hardware, as long as it is supported, maintained and updated on a regular basis, its shelf life will be built to a certain recognised standard. However, if it has not been built to a certain recognised standard and it has not been tested and maintained yearly, it will come to an end very quickly and will need to be replaced. We have a huge problem with a lot of networking in smaller areas and bigger areas in the UK. Some of the areas have an amazing network and speed, and some of them are very bad and are actually degrading. We can see that even in education. Schools currently rely on these networks to have Zooms and Teams meetings, as well as normal meetings. Some areas have not been maintained as other areas in the UK have. Maintaining and auditing them is bound up with the maintenance and making sure that, whoever the supplier is, they maintain the system on a regular basis, update the software and keep a track on that.

Photo of Steve McCabe Steve McCabe Labour, Birmingham, Selly Oak

I am sure Members would appreciate further details on the Intel example, if you can provide that.

Photo of David Johnston David Johnston Conservative, Wantage

Can I ask about the diversification strategy, which is a question I asked some of the other witnesses? The Government are rightly investing a significant amount in this. We all agree that it is needed. What do you think success looks like? Our problem at the moment is that if we take out Huawei, we have only two vendors we can use. What range would you like to see, and in what sort of timeframe?Q

Heba Bevan:

The problem with Huawei is a bigger problem. The technology was freely created by BT and got sold to Huawei. I think that such an important technology should not have been allowed to be sold in the first place. I am sorry; this is my personal view, not a company view. I think certain technology should be kept within the country because it has a certain importance and all of us use it, so it should be kept in a certain way.

On replacing Huawei with something else, currently we do not have many options, to be honest, in terms of 5G. We have Ericsson, which is a provider of a chip. There are other providers, but they have not come out. Even looking into modules currently, UtterBerry is working on a 5G project with DCMS and the Welsh Government, and we are basically creating the first IoT solution that is completely compatible with 5G.

In terms of supplier for the chip, we have one option, which is Qualcomm. We have Ericsson as well, but they are not at the same speed as Qualcomm, so in terms of options to go with 5G, I do not think there are many suppliers in that market. The capabilities within the—

Photo of David Johnston David Johnston Conservative, Wantage

Q May I briefly interrupt? I accept that there are not many suppliers now. Given the money that the Government are going to invest in trying to support having more suppliers, how many would you like to see and by what timeframe?

Heba Bevan:

That depends on competition law. The more the merrier probably, at least to give each of us a choice. It would be great to have a choice and to pick the best for the situation. The problem is, given the speed at which we want to roll out 5G, I do not think we will have enough time to create many companies that can provide 5G. We have the capabilities to do it in the country, but we do not have the capability to manufacture that number and roll it out to the entire country. Perhaps Dr Andy Sellars or Nick can comment on that.

Dr Johnson:

Let me chip in for a bit. In terms of diversification, there is an issue with scale. Derek McManus made this point—I listened to his contributions from Thursday—about scale. In order to serve the global telecoms operator network, you need scale. You need enough financial and technical muscle to withstand the procurement practices. There is an issue around how much you can afford to deliver, at certain profit margins, in order to make a business. It is very difficult for small companies to achieve that scale.

Speaking for myself, we are a case in point. We achieved a certain degree of scale but did not get to the point where we could compete effectively with Ericsson, Nokia or anybody else in that space. There are quite a few second-tier players around, Mavenir and Airspan, which have 5G technology that could be deployed. Is that scalable to the degree that Vodafone Group would require? Do they have the financial backing to withstand Vodafone procurement organisation? I think that is a major issue.

If you look for the sentiment of the investment community around telecoms, I do not think you will get very positive feedback. Investors are, with one or two exceptions, looking elsewhere to make money. It is a very mature market. Finding new growth in that market is very challenging. I do not have an obvious answer to how, globally, you would achieve diversification. Doing from the UK is a big challenge.

The only crumb of comfort I can offer is that we should, I think, focus on core intellectual property, as a country, strategically. If you just focus on the software, and the implementation of the technology, we will get outrun by people with much bigger and much cheaper workforces, which are as highly skilled. The only way to cement the position in the global economy is by intellectual property and ensuring that you own it, it is well protected, and you can leverage it and exploit it appropriately in that space. Some of the work that Andy is doing at the Catapult is looking at not necessarily software, but technology that could be used in 5G to improve the efficiency of radios and so on. Paradoxically, hardware-centric IP may well be very important to the effective operation of a network.

I am not giving you a very good answer here. It is a very challenging political goal, to say that we want to diversify. What is in it for us as an investment community and a technology community? I think everyone is looking elsewhere at the moment.

Photo of Steve McCabe Steve McCabe Labour, Birmingham, Selly Oak

I am conscious of the time. Dr Sellars, do you have anything to add to that?

Dr Sellars:

Absolutely. We are in a situation where we have three monolithic suppliers—we are actually down to two monolithic suppliers. With telecom diversification, we have an opportunity to look at disaggregating parts of the network, especially for newer 5G and other services.

My background is similar to Heba’s. I am an electronic engineer by trade. I have designed electronic systems that have been manufactured in the UK and I have written software to drive those systems. In the UK we have something like 5,000 companies that design and manufacture electronic systems. Something like 600 of them are involved in telecoms. I am not suggesting that all of those 600 become equal players. That would be a crazy scenario. But there are certainly some parts of the telecom network where the UK is pre-eminent. There are some backhaul and fibre technologies that we are very good at. As we deploy 5G into rural communities, that is likely to require low Earth orbit satellites; we are very good at satellite communications.

We have clusters of activity with these things around the UK. There is a cluster of radio frequency, backhaul and satellite communications in the north-east, and of satellite manufacturing in the central belt of Scotland. We have clusters of activity in the Western Gateway and around small-cell base stations. In south Wales, we have clusters of activity in compound semiconductors, which are the next generation of chips required for 5G and other high-data rates communications. So, I think the diversification strategy goals of opening up and disaggregating the markets are certainly going in the right direction.

Ultimately, it comes to the telecom operators and how many suppliers they would like in their vendor supply chain. If we can disaggregate the network and come up with open standards for various parts of the network, such as open RAN and backhaul network gateways, that opens the playing fields and enables companies to compete equally. As I say, there are a number of UK companies that could compete. They are globally competitive and could compete on equal grounds with other companies to get access to those markets.

In terms of the timescale to do this, at the moment we have three monolithic suppliers and we are going down to two. Patching that scenario feels like a very short-term timescale, but I would indicate that a broader diversification would probably be in the order of three to five years.

Photo of Steve McCabe Steve McCabe Labour, Birmingham, Selly Oak

Thank you. I want to try to squeeze in both Sara Britcliffe and Chris Matheson before we go the Minister and the shadow Minister, so we need short questions and succinct answers.

Photo of Sara Britcliffe Sara Britcliffe Conservative, Hyndburn

Mine is quite a simple question: what do you support in the Bill? Can I come to you first, NickQ ?

Dr Johnson:

I think broadly the Bill is okay. I have a couple of questions about the wording. The definition of a security compromise is too narrow. At the same time, the first clause would cover every single bug in every single system, regardless of whether they were to do with security or not. Does it affect availability, performance or functionality? Every bug on the planet would qualify for that. The Bill does not cover the issue of prepositioned viruses that are implanted in software, which are crucial to the next phase of network security, but it broadly makes sense.

I have one other comment around the designated vendors. What do the friends of the Bill think about a designated technology register? Designated vendors are all very well, but the technology that is being incorporated into telecoms networks is itself subject to security concerns. Should such a register of the specific technology generations or of particular operating systems and libraries, which are known to be buggy or compromised from a security point of view, be included in the Bill? It might be too late in the day for that, but I guess some of this will be picked up by the NCSC.

Photo of Steve McCabe Steve McCabe Labour, Birmingham, Selly Oak

I am sorry to interrupt, but I want to move on to Heba Bevan. The question was, what is there in the Bill that you really approve of?

Heba Bevan:

One of the things in the Bill that, to me, is essential is that whoever is providing the telecommunications system has to be liable for providing the security on it. I totally agree on that. They have to make sure it is secure. There are a few bits and pieces on how that is being achieved but, because of time, I can send you a few points around that.

Photo of Steve McCabe Steve McCabe Labour, Birmingham, Selly Oak

That would be helpful, thank you.

Dr Sellars:

I agree with the points made by the other two witnesses.

Photo of Chris Matheson Chris Matheson Shadow Minister (Digital, Culture, Media and Sport)

Q Thank you for squeezing me in, Mr McCabe. I will direct this question to Ms Bevan; it should really be directed to the Minister, but unfortunately procedure does not allow that. There is a quote on the UtterBerry website:

“I am delighted UtterBerry has been selected as a champion of British technology excellence through the TechHub programme—just one of the new initiatives we have launched in partnership with industry and the Chinese government.”

That is from Sherry Madera, the deputy director general of the Department of International Trade at the British Embassy in China. Are our firms still being pushed to share communications technology with China as this Bill is going through?

Heba Bevan:

No, we worked with the Department of International Trade in 2016. The Chongqing Government were interested in having UtterBerry there. We spoke with our lawyers about the amount of IP we have and decided that we would not pursue this. We do not manufacture anything in China. Everything in UtterBerry is manufactured in the UK—software, hardware and everything we do. We mainly have graduates from the UK. We have European engineers, but recruitment is mainly kept closer, because of the IP sensitivity.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

It is a pleasure to serve under your chairmanship, MrQ McCabe.

I will be brief, as we are running out of time, but thank you for your expertise. My question to Andy Sellars and Heba Bevan is about the diversification strategy. In what areas do you think the UK has the capability to exploit the opportunities of this diversification strategy, particularly in hardware versus software? We have been told that hardware is beyond our manufacturing capabilities, yet you seem to be making a success out of it, Heba. What barriers are new entrants and smaller companies likely to experience and what kind of interventions should the Government make that are not fully addressed by the diversification strategy in order to ensure a UK capability in this area?

My question to Dr Johnson: we heard from Mavenir earlier, which said that open RAN could provide 2G, 3G, 4G and 5G networks now. We have also heard of the operational challenges associated with that. What is your view on the maturity of open RAN technology? We will start with Andy.

Dr Sellars:

The first question was about UK capabilities to exploit the opportunity. Specifically, the UK has a cluster of small-cell base station manufacturers around the Bath and Bristol area. We have satellite communications clusters around the north-east, central Scotland and Surrey. We have a compound semiconductor cluster around south Wales, employing 1,600 highly skilled engineers generating something like £180 million per annum to the Welsh and UK economy. We have quantum encryption expertise funded through Innovate UK’s programmes, we have world-leading providers of optical transceivers for fibre communications, and we have backhaul capability.

Dr Sellars:

For interventions, I would suggest that the Advanced Propulsion Centre is a really good model to look at. It is in a different sector. It is funded through the Department for Business, Energy and Industrial Strategy, and its remit is to help to transition the automotive industry from petrol and diesel engines to electric drivetrains using batteries. Have a look at that as a model. It is an incredibly good model for transitioning an entire industry from one technology to another. It brings together supply chains and is very effective. That is one of the interventions I would suggest. Other interventions could be cyber-certification and just helping UK companies to access some of the standards bodies. That would be very effective. We have a lot of SMEs.

Heba Bevan: Thank you for your question. On hardware, as a company—and to be honest in the UK as a nation —we do not have the essential foundries. We can design and prototype the silicon, and we can work on, from the beginning, how actually it would work, but the actual manufacturing of the chip—not the hardware: that one chip which is like the CPU or a piece of DSP—those actually require very high-intensity foundries. If we want to build them in the UK it will cost around £10 billion today—probably over that number. Andy can correct me on that.

In the far east, they have unlimited resources with the state aid rule; and Europe, in the last few years, passed something, for the state aid rule, called IPCEI, which is important projects of common European interest. Germany was able to fund €1.2 billion from its money to support these foundries. France put in €0.8 billion, and Holland put in €0.4 billion. In the UK in the last few years, in terms of building these foundries, the UK has not supported that type of manufacturing. In chip manufacturing, we do not. However, on the hardware scale we are able. The way we see it, we build the hardware; we build the software—but the actual components and the chips, today we do not have the capabilities in the UK to manufacture that.

Photo of Steve McCabe Steve McCabe Labour, Birmingham, Selly Oak

I am really sorry to do this to you, but I think I had better interrupt and go to the Minister or we will run out of time completely.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

Q Thank you, Mr McCabe, and thank you to all the witnesses, and particularly Dr Sellars for the map of UK brilliance, which is really appreciated. In short—given that we have four minutes—we have £250 million of this diversification funding to spend over the next three years or so. My question to you three is simply how you would spend it. Thirty seconds each: 250 million quid.

Dr Sellars:

I would prioritise the funding in terms of where the vulnerabilities are in the network, in terms of the ability of the UK to fulfil those vulnerabilities and in terms of what markets it would open up. There are specific parts in the telecoms stack that are likely to be more vulnerable than others, where the UK has prime capability and where we could then develop an export opportunity. I can provide some more detailed answers in writing if that is helpful.

Dr Johnson:

For my 30 seconds I would spend it on basic research, cementing the intellectual property position of the UK.

Heba Bevan:

I would agree with Dr Sellars—Andy: we need to increase the amount of spending around vulnerability and strengthening the network. One other point is about spending it on areas outside the UK so it would generate more jobs around the north.

Photo of Steve McCabe Steve McCabe Labour, Birmingham, Selly Oak

Chi, I think you had something outstanding, and you have got just about a minute and a bit to do it.

Dr Johnson:

So, the 45-second answer: Mavenir is using IP access GSM 3G technology in its open RAN development. Pardeep, I think, said that it would be ready within 12 months, and I agree that that is a true statement.

Photo of Steve McCabe Steve McCabe Labour, Birmingham, Selly Oak

I am sorry we had to hurry you a bit, there, but we are trying to get through quite a lot this afternoon. Can I just thank all our witnesses for your evidence and the extra bits that you said you would possibly forward to us. That would be much appreciated. Thank you, on behalf of the Committee. That brings this session to a close.