Clause 5 - General duty of OFCOM to ensure compliance with security duties

Telecommunications (Security) Bill – in a Public Bill Committee at 3:15 pm on 21 January 2021.

Alert me about debates like this

Photo of Chris Matheson Chris Matheson Shadow Minister (Digital, Culture, Media and Sport) 3:15, 21 January 2021

I beg to move amendment 11, in clause 5, page 9, line 41, at end insert—

“(2) Providers of public electronic communications networks and public electronic communications services must notify Ofcom of any planned or actual changes to their network or service which might compromise their ability to comply with the duties imposed on them by or under sections 105A to 105D, 105J and 105K.”

This amendment would require providers of public electronic communications networks or services to notify Ofcom of any changes to their network or service which might compromise their ability to comply with their security duties.

It is a great pleasure to serve under your chairmanship, Mr McCabe. Since this is my first substantive contribution to the Committee, I pay tribute to the Front Benchers. It is nice to have a Minister who, I believe, was formerly a tech journalist specialising in telecoms, and who knows the subject well. Of course, the shadow Minister, my hon. Friend the Member for Newcastle upon Tyne Central, was a telecoms engineer and an Ofcom regulator for many years, and I pay tribute to her and her staff. The Committee should know that in addition to running this Bill Committee from the Opposition’s side, she has also been working in the main Chamber this week on the National Security and Infrastructure Bill Committee. Juggling two Bills at once is no mean feat.

I have also greatly enjoyed the interplay between my right hon. Friend the Member for North Durham and the hon. and gallant Member for Bracknell, both of whom have considerable national security experience. I was intrigued by my right hon. Friend’s estimation of the hon. and gallant Gentleman’s intervention as Schrodinger’s intervention—one that managed to be simultaneously right and wrong. He has set a new standard there.

From listening to the debates on previous clauses, it is clear that a common thread passes through the Bill, which we in the Opposition have been hoping to link up. Partly, it is to do with the question we raised earlier about the assumption that everybody understands exactly what the intention in the Bill is, and that everything will be all right in the long term. My right hon. Friend the Member for North Durham has talked about the importance of making things as clear as possible when it comes to responsibilities, because a future Minister might not be as adept in this subject as the hon. Member for Boston and Skegness, who currently occupies that position. In a sense, that is the heart of amendment 11.

Clause 5 asserts a general duty on Ofcom to assure compliance with security details. Much of the detail required under this clause is specified in the next one, clause 6. Obviously, we welcome the clause, which lies at the heart of the purpose of the Bill and underpins the powers and responsibilities given to the regulator. The amendment shares some responsibility with the network providers, which must surely also have a duty to maintain a running assessment of security—something that I am sure that they must try to do already, but which still requires scrutiny. The historical context is clear because, as my hon. Friend the shadow Minister and my right hon. Friend the Member for North Durham have talked about, BT sold off a chunk of its network to Huawei and did not formally inform the regulator or the Government of its intention to do so until a couple of years after the event.

In the evidence sessions, we heard varying views on the ability of network providers to assess their networks, equipment and software for compliance with the proposals before the Committee today. All the main network operators gave confident answers regarding the integrity and reliability of their asset registers when it comes to equipment and presumably—but only presumably—the software that drives it. The impression was clear that, at the top level, work had already been undertaken on making an assessment of what assets would need to be replaced before the 2027 deadline, and where the operators were on that. We welcome that.

Some later witnesses, however, while not entirely contradicting that certainty, suggested that the task would not be so easy. We heard about overlapping 2G, 3G, 4G and 5G networks, with different equipment of different ages. My hon. Friend the shadow Minister gave a shocking statistic in relation to the age of the equipment that was responsible for the insecurity that led to the TalkTalk hack. I describe that overlapping network as sounding to non-experts—such as me, I hasten to add—like a bowl of spaghetti.

We therefore accept that any assessment is a complicated task, and we recognise the work that providers have undertaken and will continue to undertake to make good the security of the networks, but several problems remain. First and foremost, any audit or asset register is simply a snapshot at the moment. When national security is at stake, an accurate, up-to-date and rolling picture and assessment must be available. It is better to know in advance where problems might occur.

Any business faces commercial pressures, and although I have confidence that no British provider will ever take risks with our nation’s security, the obligations outlined in the amendment will provide clarity and certainty as to which side of the line they should fall in any situation where doubt occurs about whether they ought to discuss potential issues with Ofcom. I think my right hon. Friend the Member for North Durham was hinting at some of those pressures when in the previous clause he mentioned the TalkTalk hack and some of the commercial pressures that companies are under.

Another issue is the relationship between Ofcom and the companies that are being regulated —the network and service providers—because Ofcom it at once a regulator, necessarily with a stick in hand, and a partner agency that is hoping to support the service providers to meet their obligations. We hope that the amendment will provide a little bit of clarity in order to make that partnership more even.

The amendment encourages a rolling conversation with Ofcom, with those matters at the forefront. I assume and hope that that will be happening anyway but, as I have said already, assumption is no basis on which to proceed in legislation. The amendment therefore provides clarity on a sense of obligation. It would also help providers to address problems at the outset and to have the knowledge, as far as possible, but they are likely to be complying on security under the regulations, rather than finding themselves in a situation where they have to comply with the duty under the sections mentioned in the amendment only after the fact and only after work has been done.

Finally, clause 5 puts an obligation on Ofcom, but Ofcom cannot be blamed for not knowing something that it does not know and so failing in its duties under clause 5. The amendment, by sharing the responsibility with the network providers, would assist Ofcom in its duties of overseeing the networks and, I hope, foster more of a partnership when addressing the problems, in the interests of the nation.

We have to avoid providers doing first and telling Ofcom later, because the avoidance of problems is greatly to be preferred to enforcement action further down the line. We have to make things easy for Ofcom. The regulator is growing in scope and complexity, as my hon. Friend the shadow Minister has said, and national security responsibilities are still fairly novel for Ofcom. That load has to be shared, and the amendment provides a focus for providers to assist.

I was a little concerned by suggestions during the evidence sessions that it gets harder to verify security and compliance the further we go down the supply chain. The focus on national security has to be baked in. With a chip here or a piece of software code there which might have been carried forward from a previous or separate piece of equipment, as my right hon. Friend the Member for North Durham has said, it has to be the responsibility of the suppliers and ultimately the network providers not to make any assumptions, but to query every aspect of their asset register and propose changes to it to maintain their duty of security and compliance under sections mentioned in this amendment.

We heard expert testimony during the evidence sessions. Dr Drew said:

“On having providers be more proactively involved, I think it would make complete sense for these actors to be made to inform Ofcom, or whichever regulator is chosen, of significant changes to their supply chains.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 83, Q101.]

Andrea Donà said:

“We need a clear understanding between Ofcom and us as providers before the legislation is enforced, so that we understand exactly the boundaries and the scope, and we all work together, having done the audits, to close any vulnerabilities that we might have. That is a clear aspect of our working together: ensuring that the assets in the telecoms network infrastructure that are in scope are very well defined.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 16, Q14.]

The amendment is simple and straightforward, sharing the obligation on security and allowing for a forward-looking assessment by Ofcom and network providers to give the assurance that we need and to head off problems before they arise. It is about being forward-looking and not always being reactive. I commend it to the Committee.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation) 3:30, 21 January 2021

I rise simply to support the excellent speech made by my hon. Friend the Member for City of Chester. I thank him for his very kind words. In the amendment, he makes an important contribution in ensuring that Ofcom knows what it needs to know and in putting the onus more firmly on the network providers. I simply ask the Minister to respond to the points that my hon. Friend made in his concluding remarks about being forward-looking.

A challenge for us as a nation in securing our networks during such fast-paced technological change is looking backwards to the problems we have had rather than forwards to the evolving and new threats. During the evidence sessions, we were accused of fetishising 5G as if that was the only security challenge, because of the visible problem with Huawei, and that we were not looking more broadly. I admired Ofcom during my time there because it was set up to be a forward-looking regulator. To achieve that aim, when it comes to the sweeping new requirements around security that are placed on it under the Bill, it needs to be able to see what changes are happening and are likely to influence future evolving threats. To do that effectively, amendment 11 requires the network providers to notify Ofcom of planned or actual changes.

It is worth remembering that—I made this point earlier—if BT had been required to notify Ofcom or another body of changes to its network as Huawei moved to a greater and more dominant position in its network, that might have rung alarm bells more generally. We have also already mentioned the shift that we are seeing on the importance of software and software configuration and services in controlling the network. Requiring providers to notify Ofcom of planned or actual changes to the network would make that evolution more easily visible and therefore provide Ofcom with greater visibility of how all our networks are evolving and what new threats may arise as a consequence.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

The amendment would add to the general duty in clause 5 that places on Ofcom the duty to ensure that providers comply with their security duties. The duty as written in the Bill makes clear Ofcom’s increasing role. The duties imposed on public telecoms providers in the Bill are legally binding, so as the Bill is written providers should not be taking decisions that would prevent them from complying with those duties in the future. If they were not to comply, they would be in breach of their legal duties and liable for enforcement action, including the imposition of the significant penalties set out in the Bill.

The underlying purpose of the amendment—that Ofcom should take a proactive role in regulating the regime—is already core to what is in the Bill and the Government absolutely agree with the principle that the hon. Member for City of Chester set out. We need to ensure that Ofcom has the tools to be forward-looking so that, in a world of fast-changing technologies and threats, it can understand where operators are taking their networks and how that will affect their security. That is an absolutely essential part of the Bill.

Photo of James Sunderland James Sunderland Conservative, Bracknell

Does the Minister agree that the Bill in its current form is prescriptive enough already?

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

I think the Bill is perfectly drafted down to every comma and punctuation mark. To be slightly more serious, what we have sought to do in the drafting is to strike the balance between proportionate regulations and the overarching requirements for national security. That is the balance that we have struck and it is exactly for that reason that we already do in the Bill what the hon. Member for City of Chester and the shadow Minister seek with the amendment.

In section 135 of the Communications Act 2003, as amended by clause 12, Ofcom is already allowed to require information from providers about the future development of networks and services that could have an impact on the security of the network or service they are providing. That would enable Ofcom, for instance, to assess the security risks arising from the deployment of a new technology or from the proposed deployment of a new technology. For those reasons, I hope that the hon. Members are reassured not just that the Bill does what they seek, but that previous drafts of the Communications Act already did so.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

I thank the Minister for giving way; in doing so, he shortens what I will say later. I think the Minister is saying that Ofcom has the power to require information, which is true, but the amendment is about providers proactively giving that information. Ofcom cannot request information about a change to the networks that it does not know is happening. I am hoping that perhaps what the Minister is implying is that he would expect Ofcom regularly to review what was changing in the networks and therefore make those requests for further information. Could he clarify that point?

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

The sort of horizon scanning that the hon. Lady describes is core to all essential regulation, and the relationship that Ofcom has with those whom it regulates promotes the ability to have such conversations. But as I said, the key point is that an operator that proposes knowingly to introduce a risk into its network would clearly not be complying with the statutory provisions of the Bill. That is the essential nub of the issue.

Photo of Chris Matheson Chris Matheson Shadow Minister (Digital, Culture, Media and Sport) 3:45, 21 January 2021

I am most grateful for the debate on the amendment. My hon. Friend the shadow Minister made the key point that Ofcom cannot be blamed for not enforcing something that it does not know anything about. The amendment’s intent was to encourage a sense of shared responsibility in what my right hon. Friend the Member for North Durham reminded us is still a competitive industry in which businesses might want to maintain a level of confidentiality about technological changes or the deals they are doing with suppliers. However, if the Minister is satisfied that that is covered in other parts of the legislation, I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 5 ordered to stand part of the Bill.