New Clause 5 - Reporting to Parliament No.2

Telecommunications (Security) Bill – in a Public Bill Committee at 2:45 pm on 26 January 2021.

Alert me about debates like this

‘(1) The Communications Act 2003 is amended as follows.

(2) After section 105Z29 insert—

“105Z30 Reporting to Parliament

(1) The Secretary of State must produce an annual report for the Intelligence and Security Committee of Parliament concerning—

(a) designated vendor directions made under section 105Z1; and

(b) designation notices issued under section 105Z8.

(2) The report must contain an assessment of the national security risks underpinning the directions and notices made under those sections.

(3) Ofcom must produce an annual report for the Intelligence and Security Committee of Parliament—

(a) assessing the adequacy of existing security measures within UK public electronic communication networks and services; and

(b) assessing future threats to the security of those networks and services.”’

This new clause introduces a requirement for the Secretary of State to report to Parliament on the impact of vendor designation on national security risks. It also requires Ofcom to produce a forward looking report on future threats to network security and undertake an assessment of the adequacy of existing measures.

Brought up, and read the First time.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

I beg to move, That the clause be read a Second time.

New clause 5 is similar in its intent to amendment 19, which we discussed earlier. As with all our amendments and new clauses, it is designed to improve the Bill through ensuring greater scrutiny, focus, transparency and security for the diversification of our network. It would introduce a requirement for the Secretary of State to report to Parliament on the impact of vendor designation on national security risks. It would also require Ofcom to produce a forward-looking report on future threats to network security and undertake an assessment of the adequacy of existing measures.

At the centre of the new clause is a wish to reflect the importance of national security not as a snapshot in time but as something that needs to be continually monitored, considered and assessed for future impact. The new clause would require the Secretary of State to produce an annual report for the Intelligence and Security Committee of Parliament. That would ensure that the report can be comprehensive with regard to security issues that might not be appropriate to share with the public or the Digital, Culture, Media and Sport Committee. The new clause would require that the annual report should concern designated vendor directions made under new section 105Z1 and designation notices issued under new section 105Z8. The report must contain an assessment of the national security risks underpinning the directions and notices made under those sections. That is for the Secretary of State to report.

In addition, Ofcom would be required to produce an annual report for the Intelligence and Security Committee to assess the adequacy of existing security measures within the UK public electronic communication network and services. Critically, it should assess future threats to the security of the networks.

As we have discussed, the Bill gives major sweeping powers to the Secretary of State and Ofcom. We want to ensure that they are proportionate and accountable. Like amendments 5, 9, 10, 20 and 22 to 25, the new clause seeks to address issues of oversight, scrutiny and transparency. We have taken some heart from the Minister’s recognition in the previous debate of the unique role of the Intelligence and Security Committee in assessing security implications, in that case resourcing for Ofcom. The new clause would ensure a focused accountability to Parliament, via the Intelligence and Security Committee, of the notices, designated vendor directions and designation notices made under the provisions of the Bill, and the existing security measures and future threats.

As aspects of this have already been debated, I want to focus on assessing future threats to the security of the network and services. The Minister might say that that is part of the responsibility of the National Cyber Security Centre. What we see is a massive transformation of how the UK addresses security in telecommunication networks, for very good reasons, and a significant amount of the responsibility falls on Ofcom.

The Minister has written to us about how Ofcom and the NCSC will be expected to work effectively together, and we welcome that, but it is also important that Ofcom demonstrates that it has the resources and skills to assess forward-looking threats to the security of our networks. If the measures in the Bill are to be effective for the next five or 10 years, there must be adequate accountability and assessment of future threats, so that we do not find ourselves once more in the position that we are in now because there has been a wholesale change to the networks and Parliament has not been able to assess the implications.

To support the concerns that we have raised, it is worth remembering that Andrea Donà, UK head of networks at Vodafone, said:

“Reviewing the legislation at regular intervals to assess its efficacy in the face of new technological challenges, and also in the light of new strategic aims by Government and that constant review involving the industry, will be very welcome”.––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 8, Q3.]

Dr Alexi Drew of the Centre for Science and Security Studies, talked about making it as hard as possible for attackers to get access, saying:

“We should be making sure that there is as much oversight and understanding as is possible of where our supply chains go, the standards that they should meet, and whether those standards are being met…this Bill goes some way towards that. I would argue that it needs to be continually updated, checked and maintained. This is not a one-off: times change, and the internet changes faster. Those would pretty much be my recommendations.”––[Official Report, Telecommunications (Security) Public Bill Committee, 19 January 2021; c. 82, Q100.]

Dr Louise Bennett argued that it was incumbent on the Government to have funding in place if vendor designations affected particular suppliers, because it could have the opposite effect to the one intended as small suppliers might not have

“the resources of skills, time or money”––[Official Report, Telecommunications (Security) Public Bill Committee, 14 January 2021; c. 52, Q67.]

to respond. Reporting to the Intelligence and Security Committee on the impact of vendor designation notices as well as on forward-looking threats would be provide an opportunity to take account of the impact on particular sectors and on small suppliers, for example. Furthermore, we have talked previously about issues of confidentiality in the sector and concerns about changes and evolution in network architecture or the performance and predominance of one particular supplier, and the increasing influence that a supplier might have, which might not be appropriate to be reported in a public domain but would very much gain from being reported in a secure measure.

I know that the Minister is reluctant to add to the duties of Ofcom. He will probably say that Ofcom could do this if it wanted to. I reiterate that Ofcom has a lot of things that it could or should do, and would do, but it does not have as a principal duty ensuring the forward-looking security of our networks. The new clause will ensure that that is regularly considered by Ofcom and that Parliament can exercise adequate and effective scrutiny. It would also contribute greatly to the ability of Ofcom and the National Cyber Security Centre to work together effectively, as they would to produce such a report. I hope the Minister will support the provisions of the new clause.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport 3:00, 26 January 2021

As the hon. Lady said, we have addressed various issues relating to the new clause in previous debates. It is important to stress that Ofcom has the resources that it needs. She talked about its ability to face the future, but in our evidence sessions, we talked to Simon Saunders, the director of emerging technology. I know she does not wish to suggest that Ofcom does not do this already, but demonstrably it is already proactively engaged in horizon scanning.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

Speaking as someone who was head of technology at Ofcom, I am aware that it engages in horizon scanning. I am sure the Minister will come on to this, but while there might be horizon scanning to understand how markets evolve and what level of competition may be seen in new markets in the future, the new clause deals specifically with horizon scanning for security and security threats. I am sure the Minister will focus on that.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

It is important to say that we have amended section 3 of the Communications Act 2003, to which the hon. Lady alluded, so that Ofcom must have regard to the desirability of ensuring the security and availability of networks and services, so that should be incorporated into the horizon scanning work.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

This is an important point. I do not think the 2003 Act has been amended, since I had it reprinted a week ago. We were talking about the principal duties. Under section 3, Ofcom has about two and a half pages of duties that it needs to carry out, but only two principal duties. Those principal duties do not mention security.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

The hon. Lady is right, but as of 31 December 2020, section 3(4) states:

OFCOM must also have regard, in performing those duties, to such of the following as appear to them to be relevant in the circumstances…the desirability of ensuring the security and availability of public electronic communications networks and public electronic communication services

It is absolutely there, but I fear we are getting into a somewhat semantic argument.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

The Minister is generous in supporting this back and forth in debate. I will close by pointing out that the duty to which he refers is one of 13 duties, so it can hardly be considered a priority. To put it more fairly, to ensure that it is a principal priority, it would need to be elevated.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

I think an organisation of 937 people can cope with 13 priorities. On one level, however the hon. Lady makes a reasonable point, and it is not one that we disagree with. Security has to be absolutely central to the work that Ofcom will do.

I will not restate the points I have made about how seriously we take the Intelligence and Security Committee and how seriously we will continue to take it. We will continue to write to the Committee on topics of interest as they arise and we are happy to continue to co-operate in the way that I have done; however, as I said in the debate on amendment 9, the primary focus of the ISC is to oversee the work of the security and intelligence agencies, and its remit is defined in the Justice and Security Act 2013. Amending the Bill to require regular reporting to the ISC, as proposed by the new clause, would risk the statutory basis of the ISC being set out across a range of different pieces of legislation.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

Earlier, the right hon. Gentleman was suggesting that it was the memorandum of understanding that he would like to see amended. Now he seems to be suggesting that we should insert the new clause, which will not change the memorandum of understanding.

Photo of Kevan Jones Kevan Jones Labour, North Durham

No, I said in an earlier contribution that if it were done by the memorandum of understanding, I would be quite happy. I know the Minister is limited in the number of civil servants he has beneath him compared with Ofcom, but will he go away and read the Justice and Security Act 2013? It talks about Departments, but it also talks about intelligence more broadly, which is covered by the memorandum of understanding. I do not know why he is pushing back on this issue; it may be because of the Cabinet Office, which has more civil servants than he has. I suggest that we will win this one eventually.

Photo of Matt Warman Matt Warman The Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport

That may well be the case, but the right hon. Gentleman is not going to win it here—that is the important point to make. It is right not to try to address this issue in the new clause, but the Government will continue to take very seriously the work of the ISC, as he would expect.

Additionally, the new clause is designed to require Ofcom to provide annual reports to the ISC, which would, as the right hon. Gentleman knows, be particularly unusual in the context of the work of the Committee, as Ofcom will not be making judgments about the interests of national security under the Bill, or as part of its wider function. Ofcom’s role as regulator seems not to be something that comes under the purview of the ISC, even if I understand the broader point. As I said earlier, however, the NCSC is very much under the purview of the ISC, and there are plenty of opportunities for the Committee to interrogate the work of that excellent agency. I am sure the Committee will continue to take up such opportunities with vigour, but as I have said before, it would not be right to seek to reframe the remit of the ISC through the new clause. I ask the Opposition to withdraw it.

Photo of Chi Onwurah Chi Onwurah Shadow Minister (Business, Energy and Industrial Strategy), Shadow Minister (Digital, Culture, Media and Sport), Shadow Minister (Science, Research and Innovation)

I thank the Minister for his comments and for engaging so readily in debate. I have to say that we feel very strongly about the new clause, both for parliamentary scrutiny and for ensuring that Ofcom is looking forward and assessing future threats. With bated breath, I wish to test the will of the Committee on the new clause.

Question put, That the clause be read a Second time.

Division number 3 Telecommunications (Security) Bill — New Clause 5 - Reporting to Parliament No.2

Aye: 3 MPs

No: 10 MPs

Aye: A-Z by last name

No: A-Z by last name

The Committee divided: Ayes 3, Noes 10.

Question accordingly negatived.