Clause 3 - Codes of practice about security measures etc

Telecommunications (Security) Bill – in a Public Bill Committee at 2:30 pm on 21 January 2021.

Alert me about debates like this

Photo of Kevan Jones Kevan Jones Labour, North Durham 2:30, 21 January 2021

I beg to move amendment 6, in clause 3, page 5, line 4, at end insert—

“(ia) the National Cyber Security Centre;”

This amendment would require the Secretary of State to consult the National Cyber Security Centre on any draft code of practice about security measures under new section 105E.

Photo of Steve McCabe Steve McCabe Labour, Birmingham, Selly Oak

With this it will be convenient to discuss the following:

Amendment 10, in clause 3, page 5, line 8, at end insert—

“(iiia) the National Cyber Security Centre;”

This amendment requires the Secretary of State to consult the National Cyber Security Centre before issuing a code of practice about security measures.

Amendment 5, in clause 4, page 7, line 41, after “OFCOM”, insert—

“and the National Cyber Security Centre”.

This amendment would require providers to inform the National Cyber Security Centre, as well as OFCOM, of any security compromise.

Photo of Kevan Jones Kevan Jones Labour, North Durham

We are romping through the Bill, aren’t we? Two clauses in less than 15 minutes.

Again, these amendments are probing. I might sound like a broken record, but my aim with them is to ensure that national security and those who deal with national security decision making are at the centre of the decisions that are taken. Amendment 6 would require the Secretary of State to

“consult the National Cyber Security Centre on any draft code of practice about security measures under new section 105E.”

The Minister will say, “Well, it is self-evident that they will do that,” but going back to my Robin Day analogy from this morning, legislation needs to survive him, me and everyone else. The guidance will change over time, and we have to ensure that whoever is sitting in the Minister’s seat in 10 years’ time—hopefully, it will not be the current Minister, not for any unfair reason, but because he has gone on to higher and better things—the onus is on the Secretary of State to consult. Having that on the face of the Bill, or at least some discussion about it, would reinforce that, because the Secretary of State will move on, and there will be new civil servants, who might not have as clear an indication as the Minister will give today, or perhaps a Minister who thinks that this is the key part.

It might be a bit anorak-ish, but the problem with the national security world, which I inhabit occasionally, is that people can see everything through the national security prism—although I am not sure that that is the case for everyone. It will be important to ensure that the individuals at the National Cyber Security Centre have a real input, and not just to say that they will be consulted. The NCSC, which was introduced at the tail end of the coalition Government, is the only positive thing I can think of that that Government did. We now have a world-beating centre that protects our national security and also does a very strange thing: it looks to the secret world, but also looks outwards, engaging with the industry and individual citizens, too.

That is now being replicated around the world. I chair the science and technology committee of the NATO Parliamentary Assembly. On our visit to the UK the year before last, we visited the centre, and most of my parliamentary colleagues from across the world, including the US, were quite impressed with how it balanced complete secrecy about things that need to be kept secret and having that outward-looking approach. I am really just trying to see how we can ensure that going forward.

Amendment 5 seeks to ensure that the NCSC, as well as Ofcom, is informed of compromises and breaches. I am sure the Minister will tell me that Ofcom and the NCSC have such a symbiotic relationship that that information will automatically be transferred, but again we are assuming a lot about what will be done. It is important that this Committee at least discusses how we ensure that that continues. I will come to Ofcom personnel, but various comments have been made. I asked the head of Ofcom about Ofcom’s expertise in dealing with these issues, and this comes back to the point I made to that witness. This is about mindset. Whether we like it or not, people in the security world think differently from the rest of us in how they approach things. Ofcom will have a learning curve, not only in recruiting the individuals with the capability to do this work, but in ensuring the culture to react to these issues. My two amendments seek to ensure not only that national security is at the heart of the Bill, but that practitioners have a clear focus on national security risk.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation) 2:45, 21 January 2021

I rise to support my right hon. Friend’s excellent comments and to add a couple of points on amendment 10, which would require the Secretary of State to consult the National Cyber Security Centre before issuing a code of practice about security matters. My right hon. Friend spoke ably about the amendment’s intent to ensure security input on national security measures. That sounds basic, so I hope the Minister will explain why he feels it is unnecessary to make that explicit in the Bill. My right hon. Friend suggested that perhaps it should go without saying, but as we heard in the evidence sessions and have already discussed, the evolving security landscape and the change that the Bill represents, through the new powers for the Secretary of State and Ofcom, make it particularly important to set that out expressly.

The Bill looks at many issues to ensure the security of our networks from supply chains to requirements on network providers as well as raising technical issues, and Ofcom will need to do a lot specifically, so it is important to have a specific reference to the security function of the National Cyber Security Centre.

It came across clearly in the evidence sessions that Ofcom will not be making national security judgments. Lindsey Fussell said:

“It is important to say that, across the scope of the whole Bill, it is not Ofcom’s role to make national security judgments. That is really important. Clearly, that is the Government’s and the Secretary of State’s role, taking advice from the NCSC and the intelligence agencies.”—[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 89, Q113.]

In introducing the code of practice, it is essential to ensure that security input and expertise. I do not see why the Minister would object to including such a requirement in the Bill. Unfortunately, we are not always as joined up as we would like to be. There are numerous examples of issues that could have been prevented, had agencies of Government done what might have been expected of them and talked to teach other. As the Bill involves network operations and deep technical and security issues, a requirement to consult the NCSC is particularly important, and that is what the amendment would achieve.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

I apologise in advance, having said that we should crack on, for detaining the Committee for a few minutes on this group of amendments. They relate to clauses 3 and 4, which deal with the codes of practice for security measures and informing others of security compromises. Ultimately, the new telecoms framework comprises three layers. There are strengthened overarching security duties set out in the Bill, there are specific security requirements in secondary legislation, and there are detailed technical security measures in codes of practice. Clause 3 deals with the final layer of the new security framework. Specifically, it provides the Secretary of State with the power to issue and revise the codes of practice and sets out the legal effects of any published codes of practice.

Clause 4 addresses what would happen should there be a security compromise. It puts in place a process for users to be informed of significant risks of a security compromise. The clause also places a duty on public telecoms providers to inform Ofcom of any security compromises with significant impacts, and it creates the power for Ofcom to inform other persons in turn, including users.

I turn now to amendment 5, which seeks to ensure that the NCSC is also informed of security compromises. From a drafting point of view, the NCSC is part of GCHQ, and I take the amendment to refer to GCHQ in that sense. Within the new telecoms framework, the Department for Digital, Culture, Media, and Sport will set the policy direction, Ofcom will regulate and the NCSC will provide technical and security advice. As the UK is an world-leading national authority on cyber-security, we expect the NSCS to share its expertise with Ofcom in order to support the implementation of a new telecoms security framework.

For that reason, the Government absolutely agree that it is crucial that the NCSC receives information about telecoms providers’ security. That is why such information-sharing provisions already exist. Under section 19 of the Counter-Terrorism Act 2008, Ofcom or the Secretary of State is able to share with the NCSC any information that would support the NCSC in carrying out its functions. That would of course include the passing on of details of security incidents. Under new section 105L of the Communications Act 2003, which this Bill inserts, Ofcom must report all serious security incidents to the Secretary and State and can pass on information about less serious incidents as well. On receiving such information, the Secretary of State can then share the information with the NCSC, as I have set out. Although these probing amendments are well-intentioned, it is obvious that the provisions are already there.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

I thank the Minister for his response to the amendments. He is focusing on the fact that it is possible for information to be shared, but it is not required. I understand that the Bill as drafted, and preceding best practice, means that it is possible for information to be shared. My concern is that it is not required.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

I understand the hon. Lady’s point, and I will come to something that I think will address it in a moment. Before I do, I will speak to amendments 6 and 10, as they would be functionally identical amendments to new section 105F in clause 3.

New section 105F sets out the process for issuing a code of practice. It requires a statutory consultation on a draft code of practice with the providers to whom the code would apply, Ofcom and other persons such as the Secretary of State considers appropriate. The amendments would apply an additional requirement to formally consult the NCSC when publishing a draft code of practice. I can reassure the Committee that we will continue to work closely with technical experts at the NCSC, as we have done over a number of years.

The telecoms supply chain review demonstrated the Department’s capability to work with our intelligence and security experts to produce sound recommendations, backed by the extensive and detailed security analysis that I know Members of all parties would like to see. That initiated the next phase of the collaborative work that culminated in the introduction of the Bill, and the codes of practice continue that theme. The purpose of such codes is to provide technical security guidance on the detailed measures that certain public telecoms providers should take to meet their legal obligations.

We have already been clear that NCSC guidance will form the basis of an initial DCMS-issued code of practice. The NCSC has already developed a set of technical measures that is in the process of being tested with the industry, and those technical measures have been refined and improved over the last two years. The NCSC will continue to update the measures to reflect any changes in the landscape of threats, as the right hon. Member for North Durham described, and the relationship between the work of the DCMS and that of the NCSC means that such changes would be reflected in the code of practice. Alongside the DCMS and Ofcom, the NCSC will play a key role in advising public telecoms providers on how to implement detailed codes of practice.

Photo of Kevan Jones Kevan Jones Labour, North Durham

I agree with the Minister, in the sense that I think he and the Secretary of State at the DCMS are committed to there being very close working, but as I said, he ain’t gonna last forever. An issue will come up —in fact, it came up last night on the National Security and Investment Bill—when operators and others say, “Actually, from a commercial point of view, this is more paramount,” or, “This is what we should be doing.” The Secretary of State will come under a lot of pressure to perhaps look at prosperity issues rather than security issues. I just wonder whether, without the relevant provision in this Bill, a future Secretary of State could say, “Well, I’m going to ignore that issue, because I want to pander to”—well, not pander to—“accept the commercial and prosperity arguments.”

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

The right hon. Gentleman keeps going on about ministerial impermanence, but I will not take it personally.

Photo of Kevan Jones Kevan Jones Labour, North Durham

I talked about promotion.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

Too kind! The key part to this is that, obviously, Ofcom remains an independent regulator and will be working closely with others. The right hon. Gentleman makes a fair point about the inevitable balance between national security and a whole host of other issues, but ultimately that independence is absolutely essential. In the light of our long-standing and established working relationships across the DCMS, NCSC and Ofcom, it seems reasonable to say that there is a track record demonstrating what he has asked for. But given the Committee’s interest in the role of the NCSC in this regime, I will just make one last point. Its role is not explicitly described in the Bill, as the NCSC already has a statutory remit, as part of GCHQ, to provide technical security advice and to receive information on telecoms security for the purpose of exercising that function.

The NCSC and Ofcom will very soon publish a statement setting out how they will work together. I think that addresses some of what the hon. Member for Newcastle upon Tyne Central mentioned; I believe she has some familiarity with Ofcom. I think it is right, because they are independent, that that statement comes from them, as well as the Government expressing a view on this. The statement will include information on their respective roles and their approach to sharing information on telecoms security, and it should provide greater clarity, which hon. Members are entirely legitimately asking for, about the NCSC’s role, including how it will support Ofcom’s monitoring, assessment and enforcement of the new security framework.

I hope that the sorts of matters that I have talked about provide the kind of reassurance that Members have asked for.

Photo of Kevan Jones Kevan Jones Labour, North Durham

A statement is a welcome step forward, but—the Minister can write to me on this; he need not respond to me today—what is its legal weight? Again, I am not wanting to consider the Minister’s demise, but I would like to know that future Secretaries of State and Ministers will use it as the template and will not be able to say, “Well, we are going to ignore that statement.” That would be very welcome, because it would bind the two organisations together, which is important, and ensure that the security aspects were taken into consideration, but will the Minister just write to me, saying what weight the statement would have? I have to say that I sympathise; I do not like Christmas tree Bills that start having things added on. If it could be done in a complete way, I would be quite happy with that. The only thing that I want to know is, basically, what its status will be in future. I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Question proposed, That the clause stand part of the Bill.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport 3:00, 21 January 2021

The Committee has already heard me talk about some of this, but I think it important to provide a little more detail. The code of practice, which we have discussed, is a fundamental building block of the regime and will contain more specific information on how telecoms providers can meet their legal duties. It will provide guidance on how, and to what timescale, certain public telecoms providers should comply with their legal obligations, and will be based on technical analysis by the NCSC. Individual measures will therefore reflect the best protections against the most pressing threats to network security. The code will, for example, set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers’ data.

We recognise of course that different companies have different ways of setting up and running their networks, and because our telecoms market is dynamic and competitive, providers range in scale from multinational giants such as Vodafone down to innovative local start-ups. We want therefore to ensure that the code of practice is proportionate, and that public telecoms providers take appropriate security measures.

I will touch as briefly as I can on how we intend to achieve that proportionality through a tiered system. Tier 1 will contain the largest national-scale public telecoms providers. Should any of those providers have a significant security incident, it could bring down services to people and business across the UK. Those operators will have the greatest level of oversight and monitoring from Ofcom. Tier 2 will contain medium-sized public telecoms providers. Those providers may not be as large, but in many cases they are critical to regions and to business connectivity. They are expected to have more time to implement the security measures set out in the code of practice.

Tier 3 will contain the smallest public telecoms providers, including small businesses and micro-enterprises, which, of course, must also comply with the law. They are not anticipated to be subject to the measures in the code of practice, but will need to comply with their legal duties as set out in new sections 105A and 105C, and in any regulations. Our expectation is that Ofcom would regulate those providers more reactively.

New section 105F describes the process for issuing a code of practice. When the Government publish a draft code of practice, we will consult with industry, Ofcom and any other appropriate persons. Specifically, publishing the first code of practice will include consulting on the thresholds of each of the tiers that I have described and on the timings for their implementation. Following the consultation period, and once the code is finalised, it will be published and a copy will be laid before Parliament.

New section 105G gives the Secretary of State the power to withdraw a code of practice. Again, that will follow consultation with industry and Ofcom. A notice of withdrawal will be laid before Parliament. The legal effects of the code of practice are described in new section 105H. To be clear, the code of practice is guidance only; it is an important tool that operators should use to comply with their legal duties.

Photo of Kevan Jones Kevan Jones Labour, North Durham

Is the Minister saying that the code of practice is the standard that providers are expected to meet? Is it the legal bare minimum or do we expect them to do more than what is set out in the code of practice? What is the direction of travel?

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

The legislation places a duty on providers. Meeting the strictures of the code of practice would be the way of demonstrating that they were meeting that duty as an initial step, but of course, we see individual companies making decisions, for a host of reasons, to exceed codes of practice in every area of regulated life, and I would expect that to continue in the area in question as well.

Where relevant, provisions in a code could be taken into account in legal proceedings before courts or tribunals, which I think gives some sense of their status. That would include any appeals against Ofcom’s regulatory decisions heard by the Competition Appeal Tribunal. Ofcom will take account of the code of practice when carrying out its functions as required in new section 105H(3) in relation to telecoms security, as I have just described.

Under new section 105I, if Ofcom has reasonable grounds for suspecting that a telecoms provider is failing, or has failed, to act in accordance with a code, it can ask public telecoms providers to explain either how they meet the code of practice or, if they do not meet it, why. For example, if the network set-up of a particular telecoms provider meant that it could achieve a level of security equivalent to that in the code by other means, it could explain that in its statement responding to Ofcom. In such a case Ofcom might be satisfied that the provider was complying with its security details, but hon. Members will see that we are again trying to ensure a proportionate approach to the relevant part of the framework.

We believe that the code of practice will provide an appropriately flexible framework, which will be able to change as new security threats evolve, providing clarity for telecoms operators on what is required of them by this new telecoms security framework.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

I will not detain the Committee very long either, as we agree about the importance of codes of practice. I will not say that I am entirely reassured to hear of the statement being issued by Ofcom and the NCSC on how they will work together, but I certainly think that it is a positive development, and I hope we will be able to see it before the Bill progresses to the House.

On the codes of practice, as my right hon. Friend the Member for North Durham set out, it is important that the sector should understand the standard to which it will be held. I have some concerns about the tiering system, because, as was made clear by a number of witnesses during the evidence sittings, all networks are joined up and we are only as secure as the weakest link. At the same time, it is important to have a proportional burden on new entrants as we indeed hope to diversify the supply chain.

I understand, although perhaps the Minister can clarify the point, that the codes of practice will not refer to the diversification of the supply chain, despite the fact that having a secure network—we shall debate this in more detail—is dependent on having a diverse supply chain. I have made the point a number of times, and will make it repeatedly, that the lack of linkage between the diversification strategy, implementation and the security of our networks is an ongoing cause for concern. However, having made those comments, I do not object to the clause.

Question put and agreed to.

Clause 3 accordingly ordered to stand part of the Bill.