Clause 15 - Designated vendor directions

Telecommunications (Security) Bill – in a Public Bill Committee at 10:00 am on 26 January 2021.

Alert me about debates like this

Photo of Kevan Jones Kevan Jones Labour, North Durham

I beg to move amendment 16, in clause 15, page 22, line 12, at end insert—

“(2A) When considering whether a designated vendor direction is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”

This amendment would require the Secretary of State to give due priority to advice provided by the Intelligence Services (including the National Cyber Security Centre as part of GCHQ) when considering when to issue a designated vendor direction.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering

With this it will be convenient to discuss the following:

Amendment 17, in clause 16, page 27, line 8, at end insert—

“(3A) When considering whether a designation notice is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”

This amendment would require the Secretary of State to give due priority to advice provided by the Intelligence Services (including the National Cyber Security Centre as part of GCHQ) when considering whether to issue a designation notice.

Amendment 18, in clause 16, page 28, line 3, at end insert—

“(m) the person’s control of data flows.”

This amendment requires the Secretary of State to consider a person’s potential control of data flows when issuing a designation notice.

Clause 16 stand part.

Amendment 19, in clause 17, page 29, line 19, at end insert

“, together with an assessment of the impact the designation notice will have on supply chain diversity;”.

This amendment requires the Secretary of State to lay before Parliament a report on the impact a designation notice will have on telecoms market supply chain diversity, enabling parliamentary scrutiny.

Photo of Kevan Jones Kevan Jones Labour, North Durham

I thought I would bring some light relief to the Committee’s proceedings. Amendments 16 and 17 are both probing amendments. I might sound like a broken record, but they are really just to ensure that we get a situation where the necessary advice is taken. Amendment 16 states:

“When considering whether a designated vendor direction is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”

I accept that the entire purpose of the Bill is to have national security at its heart, but I still have a nagging doubt about whether Ofcom will be able to put national security at the heart of its considerations.

Amendment 17 states:

“When considering whether a designation notice is necessary in the interests of national security, the Secretary of State must take account of the advice provided by the intelligence services.”

This is an attempt to future-proof the Bill. As I mentioned the other day, when we pass legislation in this place it is important that it outlives present Ministers, and us all. Unfortunately, there is form on this—look at the Intelligence and Security Committee’s 2013 report on critical national infrastructure. I accept it was then the Cabinet Office, not Ofcom, that dealt with this, but when BT negotiated its contract with Huawei, the Cabinet Office was told about it but did not feel it necessary to tell Ministers for another three years, until 2006. I am concerned that national security will not be at the forefront when people look at such matters. The amendment is really just to ensure that that takes place, and codifies it into law.

I do not wish to criticise civil servants in any way, but having been a Minister myself, I know they sometimes have a tendency not to put forward things that might have a political dimension that they do not recognise. That is why it is important for national security that the Secretary of State has first-hand knowledge and information directly from the security services. We have very effective security services in this country—I pay tribute to them—but we also have the Cabinet Office. I know the Minister might think I am a bit obsessive, but I am sure he has come up against the buffer of the Cabinet Office, which seems to want to intervene in everything and anything that does not really concern it.

The Secretary of State should have access directly to the security information and should not have to go through the filter of the Cabinet Office or Ofcom. I accept the assurances that the Minister gave about Ofcom’s ability to give advice and work closely with the security services, and these are probing amendments. I am interested in what he says about how we can ensure that when the Secretary of State takes a decision, national security is at its heart, and that he or she got it straight from the horse’s mouth—in other words, from the security services—rather than its being filtered through the membrane that sometimes exists in Whitehall.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport 10:15, 26 January 2021

I thank the right hon. Gentleman for his contribution to the debate. He has talked so much about my impermanence that I felt lucky to come back today, never mind any time in the future. He makes a reasonable point, with which I broadly sympathise. As this is a broad grouping that covers clauses 15 and 16 and the amendments to clauses 15, 16 and 17, I will discuss the policy intention behind the clauses in sequence, and address the amendments.

As the right hon. Gentleman said, it is obviously an opportune moment to pay tribute to the heroic work of our national security services. The Bill emphasises the importance of their advice, and it empowers the Government to manage the presence of high-risk vendors in our networks. The report to which he refers is important, but it is also important to say that it was published, as he said, in 2013. It related almost entirely to events that took place under Labour, and it predates the existence of the National Cyber Security Centre, so we are dealing to some extent with a different world. I will go into a bit of detail on that.

As the right hon. Gentleman knows, the Government announced in January last year that new restrictions should be placed on the use of high-risk vendors in the UK’s 5G and full-fibre networks. In July 2020, the Government worked with the NCSC to update the guidance following action taken by the US Government in relation to Huawei. Clauses 15 to 17 provide the principal powers that the Government need to manage the risks posed by high-risk vendors. Without such powers, the guidance issued to industry will remain unenforceable and therefore present a risk to national security.

Photo of Kevan Jones Kevan Jones Labour, North Durham

I accept what the Minister says about the report, but its key point was that civil servants basically decided not to tell Ministers. On his explanation and the way forward, or what has changed since, how can we avoid a situation whereby Cabinet Office civil servants take the decision not to tell Ministers? How can we ensure that that will not happen again?

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

In short, the right hon. Gentleman is challenging the fundamental effectiveness of Government and the judgments that were made by officials at the time. I simply say that it is the duty of Government to ensure that such errors are not made in future. That cannot be done solely by legislative means; it must be done by custom and practice. The right hon. Gentleman understands, through his work on the ISC, that the role of those close working relationships is in some ways far more important in the day-to-day security issues that we are dealing with. Perhaps we can return to that point later.

The Bill will allow the Secretary of State to issue designated vendor directions, imposing controls on the use of goods, services or facilities that are supplied, provided or made available by designated vendors. The Secretary of State may issue such directions only where it is necessary to do so in the interests of national security and proportionate to the aims sought to be achieved.

Amendment 16, which would amend clause 15, seeks to place a statutory requirement on the Secretary of State to take into account advice from our intelligence services when considering whether to issue a designated vendor direction. Amendment 17, which would amend clause 16, seeks to place a similar requirement when considering a designation notice.

I should reassure hon. Members that the Secretary of State, as the right hon. Member for North Durham knows, has every intention of seeking the advice of our security and intelligence services, as would any Secretary of State, in particular the NCSC, when considering whether to issue a designated vendor direction or designation notice.

It is also worth saying, from a scrutiny point of view, that the Department for Digital, Culture, Media and Sport maintains an excellent relationship with the NCSC. We are scrutinised by the Select Committee on Digital, Culture, Media and Sport and I have appeared before the Intelligence and Security Committee, as the right hon. Gentleman knows. There are many examples in the Bill where the NCSC’s expert advice has been taken into account.

The UK telecoms supply chain review, on which the Bill is based, was the product of the close working relationship between the Department for Digital, Culture, Media and Sport and the NCSC. In a sense, that close working relationship demonstrates that matters have moved on substantively since 2013.

I draw hon. Members’ attention to the illustrative notices that we published in November last year. The NCSC was closely involved in the drafting of those illustrative notices. It will also be involved in the drafting of direction and designation notices once the Bill has been enacted . Given the demonstrable success of our collaboration with the NCSC thus far, I hope that the right hon. Gentleman will be satisfied with that explanation, although I appreciate that he introduced a probing amendment.

Clause 15 would create the new power for the Secretary of State to issue designated vendor directions to public communications providers, in the interests of national security. Although clauses 15 and 16 are distinct, they are complementary. Directions cannot be issued without identification of a designated vendor and designations have no effect unless directions are given to public communications providers. Clause 15 inserts new sections 105Z1 to 105Z7 into the Communications Act 2003 and amends section 151 for that purpose.

The clause will enable the Government’s announcements in 2020 on the use of high-risk vendors to be given legal effect. Those announcements include advice that require a public telecoms provider to exclude Huawei from their 5G networks by 2027, and stop installing new Huawei goods, services or facilities in 5G networks from September 2021. It will also enable the Government to address risks that might be posed by future high-risk vendors, helping to ensure our telecoms networks are safe and secure.

Proposed new section 105Z1 sets out the direction power. It would allow the Secretary of State to give a designated vendor direction to a provider, imposing requirements on their use of goods, services or facilities supplied by a specified designated vendor. Proposed new section 105Z2 provides further details on the types of requirements that may be imposed in a designated vendor direction. Proposed new section 105Z3 sets out the consultation requirements and expectations for public communications providers. Proposed new section 105Z4 sets out a requirement for the Secretary of State to provide a copy of a direction to the designated vendor or vendors, specified in a direction and, hence, affected by it. Proposed new sections 105Z5 and 105Z6 set out when and how the Secretary of State may vary or revoke a direction. Lastly, 105Z7 enables the Secretary of State to require a public communications provider to provide a plan setting out the steps that it intends to take to comply with any requirements set out in a direction and the timings of those steps.

Although the Government have made specific announcements on Huawei, the high-risk vendor policy has not been designed around one company, country or threat. The designated vendor direction power, as set out in these provisions, is intended to be an enduring and flexible power, enabling the Government to manage the risks posed to telecoms networks both now and in the future.

Clause 16 includes a non-exhaustive list of matters to which the Secretary of State may have regard when considering whether to issue a designation notice. Amendment 18 seeks to amend that clause by adding a person’s control of data flows to the list of matters to which the Secretary of State may have regard. However, nothing in the clause prevents the Secretary of State from considering control of data flows before issuing a designation notice already, if the matter were deemed relevant to the assessment of national security. It is already covered and so is not required as a stand-alone measure.

The clause creates a power for the Secretary of State to issue a designation notice, which designates a vendor for the purposes of issuing a designated vendor direction. Proposed new section 105Z8 is the principal measure of the clause, and sets out the power for the Secretary of State to designate specific vendors where necessary in the interests of national security. A designation notice must specify the reasons for designation unless the Secretary of State considers that doing so would be contrary to the interests of national security. The proposed new section also lists the primary factors that may be taken into account by the Secretary of State when considering whether to designate a vendor on national security grounds.

Finally in this group, amendment 19 would require the Secretary of State, when laying a designation noticed before Parliament, also to lay before Parliament a report detailing the impact that the designation notice might have on the diversity of the UK’s telecoms supply chain. The effect of the amendment would be to require the Secretary of State to lay a report purely on the impact of the designation notice, but a designation notice simply notifies vendors that the Government consider them a risk to national security.

Only when the designation notice is issued alongside a designated vendor direction are controls placed on the use of a designated vendor’s goods, services and facilities by public communication providers, so it is those controls that might have an impact on the diversity of the supply chain. I can reassure the Committee that the Government will consider the diversity of the supply chain before issuing designation notices and designated vendor directions. A lack of diversity is in itself a risk to the security of a network. I hope that answers the question that the hon. Member for Newcastle upon Tyne Central asked in regard to an earlier amendment. It is right that the Government consider that risk before deciding whether to issue designation notices and designated vendor directions.

To conclude, clauses 15 and 16 provide us with the ability to improve the security of our telecommunications networks and to manage the risks relating to high-risk vendors, both now and in the future.

Photo of Kevan Jones Kevan Jones Labour, North Durham

I thank the Minister for his reply. I do not question his commitment to ensuring that we have security at the heart of the Bill, and I do not intend to press my amendments to a vote.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

I will speak to amendments 18 and 19, standing in my name and those of my hon. Friends, and to clauses 15 to 17. As the Minister set out, the clauses are about key powers in the Bill that seek to secure our networks and to regularise requirements already in place, albeit informally or not legally, to remove Huawei as a specific high-risk vendor from our networks. The clauses give Government the powers to do what they have said they will do.

On the clauses, I will not repeat what the Minister said, and I congratulate him on clearly setting out their powers, which the Opposition believe are necessary. I also join the Minister and my right hon. Friend the Member for North Durham in paying tribute to our security services, which do such great work to keep us secure across a wide range of threats and challenges—both present and evolving—and on whose continued work and effectiveness the Bill is highly dependent. As my right hon. Friend set out, we want to ensure that national security is absolutely at the heart of the Bill.

As the Minister set out, the clauses are rightly not specific to Huawei or any vendor or country of origin. It is also important, as the Minister clarified to me in a letter, that they sit in addition to the current process for identifying and designating high-risk vendors and then issuing designated vendor directions, which set out how a designated vendor is to be treated and are critical to ensuring that we do not again find ourselves in a position where we have a high-risk vendor dominant in our telecommunications networks.

Although I accept that the clauses were not designed for Huawei, as is right, the Minister and the Committee must recognise that their impact will be different for Huawei and for future vendors. Parliament and the sector have spent some years considering the level of risk posed by Huawei specifically, and we have spent some time in this Committee discussing the impact of removing Huawei on the diversity of our supply chain. We have agreement from the Secretary of State, the sector and experts that that leaves us in a position where we have only two vendors, effectively, which is not, as the Minister set out, an acceptable position.

Any further designated vendor notices after the one to deal with Huawei will have a considerable impact and will require considerable consultation. We are in a position now where our telecommunications networks supply chains are not diverse or resilient; that is the general consensus. A further designated vendor notice will therefore have a significant impact on the progress of the diversification of our supply chains, which I do not feel is adequately reflected in the Bill or the debate around it. That is partially what our amendments seek to probe.

We are quite focused on Huawei and the process that got us into the mess that we are in at the moment, having to rip a vendor out of our existing networks. I am not sure that we are sufficiently focused on what will happen in the future should there be a need to designate another vendor, perhaps from a hostile state or perhaps not, because of the impact on security. Our amendments probe whether there is sufficient understanding there.

Amendment 18 amends the list of concerns in clause 16 to which the Secretary of State must pay attention when issuing a designation notice, by adding,

“the person’s control of data flows.”

The list is already quite long, at about 40 lines, and includes,

“the nature of the goods… the reliability of the supply of those goods… the extent to which and the manner in which goods, services or facilities supplied, provided or made available by the person are or might be used in the United Kingdom”.

Our concern, which we are highlighting, is whether those are sufficiently forward-looking, whether we are—as was suggested in evidence sessions—fixated on Huawei, the current architecture and current major security threats, and whether we are looking forward to the evolving security threats. That is because—as we have said and I will repeat—the Labour party puts national security at the heart of our scrutiny of this Bill, as the party of national security, a priority which is above the economic considerations that have too often been prioritised above our national security.

Our concern is that failings in the Bill show that the Government may take risks with the security critical network infrastructure and, as part of that, with our long-term economic security. Data is absolutely central to the information economy, which is the economy. Almost all digital services gather personal data and use it for commercial purposes. Data is often described as the new oil. I prefer to call it the engine of our economy. The international and national flows of data are critical to our security, as well as to our economy. We would like the Minister to explain that the protection for UK data flows is recognised as a threat, which is taken into account by the Secretary of State when considering designation notices.

One reason behind the amendment is what we heard from the Committee’s expert witnesses. In response to my question about different aspects of network security that might not be fully addressed by the Bill as it stands, Dr Louise Bennett, the director of the Digital Policy Alliance, said:

“I think most people would agree that the diversity of end points, of interfaces and of applications running over complex networks all pose security problem areas. The more of those you have, the more resilient your network might be on the one hand, because there are multiple parts, but on the other hand, the harder it is to maintain them adequately.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 52, Q68.]

Dr Bennett suggested that control of data flows was a threat that needed to be specifically addressed by the Bill. Howard Watson, the chief technology officer of BT Group, also said:

“We also faced logical threats, such as malware implants, DDoS attacks and what are called advanced persistent threats, which is an actor embedding themself into parts of the environment, staying hidden for a while and potentially collecting credentials—think of the SolarWinds hack that is in the news at the moment.”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 17, Q16.]

Emily Taylor, chief executive of Oxford Information Labs, said

“It is also the case that consolidation of infrastructure providers, like the cloud providers, is a security risk, because they become too big to fail. There was a brief outage of Google just before Christmas, and people just cannot work. When Cloudflare or Dyn go down, they introduce massive outages, particularly at a point where we are all so reliant on technology to do our work. These are security risks, and that highlights the need for a flexible approach. You have to be looking across all sectors.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 74, Q88.]

The witness evidence testimonies show that this is not only about the ability to control our signalling systems and protocols in the 5G network as it stands, but as the network evolves more and more of the network control will be both in the centre and on different infrastructure, such as Amazon Web Services in the cloud.

What I particularly want the Minister to respond to the question of how he anticipates the threat from consolidation as the network evolves—this consolidation at cloud level—will be addressed by designation notices? He said that the amendment talks about having regard to designation notices rather than the directions, which would specify the steps that operators have to take. When it comes to making decisions when issuing a designation notice, this requirement fits in with paragraphs (a) to (l), which are already included.

Amendment 19 to clause 17 requires the Secretary of State to lay before Parliament a report on the impact a designation notice will have on telecoms market supply chain diversity to enable parliamentary scrutiny. The amendment seeks to provide greater scrutiny of the diversification of the telecoms market supply chain, which, as we have all agreed, is a prerequisite for the Bill to be effective. It follows amendments 13 and 14, which we have already discussed, in addressing supply chain diversity.

I have mentioned a number of times that the Bill does not refer to the diversification strategy. We heard during the evidence sessions that it was a strategy and not yet a plan. The security of our networks depends on an effective plan to diversify the supply chain, which should also include support for UK capability. The amendment would require that a report be laid before Parliament to set out the impact that the designation notice will have on supply chain diversity. The Minister commented on whether it should be the designation notice or the direction. The objective of the amendment is to ensure discussion and understanding of the impact on the diversification strategy. It is particularly important because, as I have said, any future designation notice will be in the context of a telecoms supply chain that has been significantly reduced as a consequence of Huawei’s removal. It is important that the further impact be understood.

To be clear, we recognise that a designation notice is an appropriate response where there are risks to our national security and to the security of our telecommunication networks, regardless of the impact on diversification. However, we feel strongly that it is important to understand the impact, because of the reduced state of diversification in our supply chain. We cannot have a robust and secure network with only two vendors, and the Government’s emphasis on open RAN technology is yet to be shown to be sufficient to ensure the diversification of our networks in a reasonable timeframe.

I want us to imagine that the Government chose, for whatever reason, to issue a designation notice against one of the remaining vendors—Ericsson or Nokia. It would be critical for the impact on the progress of the diversification strategy to be set out, as well as for discussions to be had with industry and so on. A designated vendor notice could remove a vendor from the supply chain, further reducing resilience and security. I am sure the Minister will agree that it would be important to fully understand the implications, even as we put in place a designation notice. I think we all agree that we are aiming to have a rich diversity of suppliers, but it is also essential to understand the impact of designation notices on that.

We want to encourage the network operators to diversify their supply chains, as we discussed in the evidence sessions. The Bill contains a lot of stick and not very much carrot. A designation notice is absolutely a stick. A requirement to report on the impact on supply chain diversity would encourage the Government to put in place appropriate carrots to increase the incentives for diversification with one hand, as they take away potential vendor diversity in the supply chain with the other.

I support the clauses standing part of the Bill.

Photo of Philip Hollobone Philip Hollobone Conservative, Kettering 10:45, 26 January 2021

Order. The hon. Lady has done really well, but we are not debating clause 17 stand part. She can refer to the other clause if she wishes.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

Thank you for the clarification, Mr Hollobone. I see that we are discussing whether clauses 15 and 16 stand part. I support those clauses and look forward to the Minister’s response to the amendment.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

I pre-emptively covered a lot of the hon. Lady’s questions, but I will say two brief things. She talked about consolidation in the cloud sector. While the Bill is very much a national security Bill, the National Security and Investment Bill would cover consolidation in that sort of sector, rather than this one. Obviously they do work together.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

The point I am making—clearly, I did not make it effectively—is that that sector is becoming this sector. The cloud sector is becoming the telecoms sector. The reason we need this Bill in addition to the National Security and Investment Bill is to address the security concerns of the telecoms sector specifically. The cloud sector is becoming part of the telecoms sector, yet the Bill does not address those concerns.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

The hon. Lady is not wrong, obviously, in the sense that there is a potential conversation to be had about when a cloud provider is a telecoms provider and vice versa, if I can put it like that, although it is not the most elegant way of doing so. However, the point is that the reason we have comprehensive coverage of the landscape is because we have both the National Security and Investment Bill, which she debated recently, and this Bill. The broad powers that she described are intended to provide precisely that sort of coverage.

Similarly, the hon. Lady referred to the length of the list in clause 16 of matters that can be taken into consideration. That relates to the point I made previously, namely that the sorts of issues that she is talking about, such as data flows, are already covered in the long list. The list is as long as it is because it is intended to look to the future. Therefore, being prescriptive in the way that she describes is fundamentally unnecessary. We are not excluding what she wants to be on the list. A matter is already very much there if it is pertinent to national security. For that reason, I do not think there is a compelling case to add that single topic to the list, both because it is already there and because if we start going down that route, we could make the case for adding a host of other things that are already covered but that people might want to be mentioned specifically.

As I said earlier on the convergence of the two sectors, the point is that we have comprehensive coverage through both Bills. It will be for the NCSC, Ofcom and the Government to make a judgment as to whether any consolidation in a sector poses a national security risk.

Photo of Kevan Jones Kevan Jones Labour, North Durham

I beg to ask leave to withdraw the amendment.

Amendment, by leave, withdrawn.

Clause 15 ordered to stand part of the Bill.

Clause 16 ordered to stand part of the Bill.