Skip to main content

Telecoms Supply Chain Review

Volume 663: debated on Monday 22 July 2019

With your permission, Mr Speaker, I would like to make a statement.

New telecoms technologies and next generation networks such as 5G and full fibre can change our lives for the better. They can give us the freedom to live and work more freely, they can help rural communities to develop thriving digital economies and they can help the socially isolated to maintain relationships. They can transform manufacturing, and make possible connected and autonomous vehicles, smart cities and agriculture. But we can begin this revolution with confidence only if our critical infrastructure remains safe and secure.

We know that there are those who have the intention and the capability to carry out espionage, sabotage and destructive cyber-attacks against our communications sector. The move to 5G brings a new dimension to those risks, given the increased dependence that our national infrastructure is likely to have on those networks over time. That is why, soon after taking up this office, I commissioned a review into the UK telecoms supply chain, involving Government, industry, international partners and the National Cyber Security Centre. It was designed to assess the security and resilience of the UK’s telecoms networks, and to determine what should be done to improve them. Today, I have published its conclusions.

The review identified three key areas of concern. First, existing arrangements may have achieved good commercial outcomes, but they have not incentivised cyber-security risk management. Secondly, policy and regulation in enforcing telecoms cyber-security need to be significantly strengthened to address those concerns. Finally, the lack of diversity across the telecoms supply chain creates the possibility of national dependence on single suppliers, which poses a range of risks to the security and resilience of UK telecoms networks.

The review concluded that the current protections put in place by industry are unlikely to be adequate to address the identified security risks and deliver the desired security outcomes. Therefore, to improve cyber-security risk management, policy and enforcement, the review recommends the establishment of a new security framework for the UK telecoms sector. This will be a much stronger, security-based regime than at present. The foundation for the framework will be a new set of telecoms security requirements for telecoms operators, overseen by Ofcom and Government.

The new requirements will be underpinned by a robust legislative framework. We will pursue legislation at the earliest opportunity to provide Ofcom with stronger powers to allow for the effective enforcement of the telecoms security requirements and to establish stronger national security backstop powers for Government. Until the new legislation is put in place, Government and Ofcom will work with all telecoms operators to secure adherence to the new requirements on a voluntary basis. Operators will be required to subject vendors to rigorous oversight through procurement and contract management. This will involve operators requiring all their vendors to adhere to the new telecoms security requirements. They will also be required to work closely with vendors, supported by Government, to ensure effective assurance testing for equipment, systems and software, and to support ongoing verification arrangements.

In addition, we must have a competitive, sustainable and diverse supply chain if we are to drive innovation and reduce the risk of dependency on individual suppliers. The Government will therefore pursue a targeted diversification strategy, supporting the growth of new players in the parts of the network that pose security and resilience risks. We will promote policies that support new entrants and the growth of smaller firms. This includes research and development support, promoting interoperability and demand stimulation—for example, through the Government’s 5G trials and testbeds programme. We will also seek to attract trusted and established firms to the UK market. A vibrant and diverse telecoms market is not just good news for our consumers; it is good news for our national security, too.

The review also concludes that there should be additional controls on the presence in the supply chain of certain types of vendor that pose significantly greater security and resilience risks to UK telecoms. The House will be particularly concerned, of course, with the position of the Chinese technology firm Huawei. The Government are not yet in a position to decide what involvement Huawei should have in the provision of the UK’s 5G network, and I want to explain why that is.

On 16 May, the US Government added Huawei Technologies Ltd and 68 affiliates to its entity list on national security grounds. US companies now have to apply for a licence to export, re-export or transfer a specified range of goods, software and technology to Huawei and named affiliates, with a presumption of denial. On 20 May, the US Government issued a 90-day temporary general licence that authorises transactions in relation to specified areas. These measures could have a potential impact on the future availability and reliability of Huawei’s products, together with other market impacts, and so are relevant considerations in determining Huawei’s involvement in the network. Since the US Government’s announcement, we have sought clarity on its extent and implications, but the position is not yet entirely clear. Until it is, we have concluded that it would be wrong to make specific decisions in relation to Huawei, but we will do so as soon as possible.

But I also believe that it would be unnecessary and unwise to delay the introduction of the remainder of the telecoms supply chain review’s conclusions. The telecoms security requirements that the review proposes must apply to all companies that want to supply equipment and services in our telecoms supply chain, wherever they come from. The review I commissioned was not designed to deal only with one specific company and its conclusions have a much wider application; the need for them is urgent. The first 5G consumer services are launching this year, and the equally vital diversification of the supply chain will take time. We should get on with it.

I recognise that colleagues may wish to pursue further the technical detail of the proposals that the telecoms supply chain review makes, not least with officials at the National Cyber Security Centre, who will be available to answer questions in Room O in Portcullis House from 10 am to 11 am tomorrow. But I hope the whole House will agree that the future of our digital economy depends on trust in its safety and security, and that if we are to encourage the future scale-up of new technologies that will transform our lives for the better, we need to have the right measures in place to make our telecoms supply chain both safe and secure. That is what the approach proposed in this review will deliver, and I commend it and this statement to the House.

Good afternoon, Mr Speaker. I am grateful to the Secretary of State for advance sight of his statement and notice of today’s announcement.

In January this year, the Secretary of State said that the telecoms supply chain review was

“not a Huawei specific exercise”.

I am afraid that the report published today may be stretching that phrase to its limits. The Government’s handling of the question of Huawei's involvement in the future of the UK’s 5G network has been defined by one thing: confusion. Rather than this review being published as expected—in March, including a decision on Huawei’s role in our future telecoms networks—we have had a flurry of delays, leaks and rumours.

Today’s further delay on a decision on Huawei means that this confusion will continue, leaving the telecoms industry without the clarity and the public without the confidence they need. A ban on Huawei products could significantly delay the roll-out of the 5G technology that will underpin our tomorrow’s economy. The innovative and green technologies that will form the basis of our future rely on the development and deployment of trusted 5G technology. Our digital infrastructure is already falling behind. The UK lags embarrassingly behind in international comparisons of full fibre roll-out. We are second last in the list of OECD countries, with just 4% of the UK having access to full fibre networks. What Britain needed from this review was not a muddle; we needed a new model for a genuinely world-class digital infrastructure, which we lack at the moment. So this decision must be taken as quickly and transparently as possible, because, whether the Government need to ban Huawei for security reasons or not, the Government have a roll-out target to meet: 5G for the majority of the country by 2027.

We need clarity, one way or another, and the Government should have a plan B for meeting this target if necessary. This review has provided neither. That goes directly against the advice of the Intelligence and Security Committee, which said last week that

“the extent of the delay is now causing serious damage to our international relationships: a decision must be made as a matter of urgency.”

Does the Secretary of State agree?

There are some measures in this review on diversifying the market that are welcome, but this is not an overnight solution, and surely these objectives are best achieved through working with our European partners. Hitherto, the Secretary of State has sought to keep our digital regulation regime in lockstep with Europe. Can he tell us whether the EU is following suit now that the Americans have taken action? If it has not, is he not now concerned that UK digital policy is significantly diverging from that of our closest trading partners?

The situation is indeed complex, as the Secretary of State says. The United States’ recent blacklisting of Huawei has added long-term viability concerns to the existing security considerations. But I am concerned that the future of the UK’s digital infrastructure is being held hostage by transatlantic geopolitics. The question here should be, what is in the UK’s public interest? It should not be, where does this fit into US foreign policy? The British public deserve a trustworthy and modern 5G network that is fit for the future; I fear that, under the new Prime Minister and his Administration, they will get neither.

With your indulgence, Mr Speaker, I will finish on one more point. This could be the last statement that the Secretary of State makes in his current role and, if it is, I would like to put on the record how much my team have enjoyed working with his. I have one phrase for him, from a very great man, who once sang these words:

“For what is a man, what has he got

If not himself, then he has naught

To say the things he truly feels

And not the words of one who kneels

The record shows”—

he—

“took the blows

And did it”

Huawei.

The hon. Gentleman was doing so well until the end; I suppose I should be grateful he did not quote:

“Start spreading the news, I’m leaving today”.

First, on the hon. Gentleman’s last remarks, let me say that the feeling is entirely mutual: I have enjoyed working with him and his colleagues. Our constituents expect not just the cut and thrust of debate across this Dispatch Box, which we have also enjoyed, but that we work together where it is appropriate to do so, and I am grateful to him and his colleagues for the spirit in which they have done exactly that.

Let me say a number of things about the hon. Gentleman’s comments on the statement. First, he is right to say that this announcement is about further delay in relation to decisions on Huawei, and I have explained why that delay is necessary. He is entirely right to say that the industry requires clarity and we should seek to give it that. At the moment, we are not capable of offering that clarity, and any decision that we were to take now might end up being different in the future when that greater clarity arrives. It is not a failing of the UK Government that is at work here, but an attempt to understand the actions of the US Administration and the implications of them.

The hon. Gentleman has said that he is concerned to ensure that this should be a decision about the interests of the UK and not the priorities of the US Administration, and I understand that. I can give him the assurance that decisions we take will be decisions in the best interests of the United Kingdom, but he knows that this is a hugely interconnected sector and it simply is not possible to make sensible judgments about telecommunications without recognising those interconnections. What the US Administration do has a significant impact on Huawei, and we have a situation in which Huawei equipment has American components and intellectual property within it. If that equipment is to find its way into the UK telecoms network, of course the actions and decisions of the US Administration are important—hence the necessary delay here.

The hon. Gentleman is also right to say that this is important technology and it can have a huge impact on our economy; he heard what I said about that a little earlier in the statement. He is wrong to say that the fibre roll-out has reached 4% of the country. It has now reached 8%—it was 4% when I arrived in this job and it has now doubled. He is of course also right to say that that leaves us with a considerable distance still to travel. It is important that we do that in a number of ways, with the most important perhaps being to commit fully to a full fibre roll-out: that was a strategic decision that the Government made—again, in the past 12 months.

Finally, the hon. Gentleman makes reference to the discrepancy that there may be in the approach that different EU countries may take. Of course, it would also be right to highlight the approach that other Five Eyes colleague countries may take. A huge variety of approaches is being taken; there is no uniform approach in the EU, with each country taking a slightly different one. The same is true of the Five Eyes nations. We of course want to engage with all our international colleagues, particularly those with whom we discuss these matters on a regular basis, and make sure that we have their input. However, I go back to my earlier comment: in the end, this will be a judgment that we take in the best interests of the United Kingdom.

I welcome the publication of the Government’s telecoms supply chain review report today. I am very pleased to see that the report reflects many of the points that the Intelligence and Security Committee raised in its statement on 5G suppliers on Friday. I specifically welcome the explicit national security direction power for the Secretary of State to compel telecoms operators in relation to high-risk vendors, because that issue was first raised by the ISC back in 2013.

With that praise in mind, may I pick up a couple of points? The timetable for providing Ofcom with increased responsibility for the new telecoms security requirements will clearly be of great importance. I ask the Secretary of State, will that be accompanied by additional resources for suitably skilled staff? If Ofcom is to do this job, it will need staff—probably brought in from elsewhere—who have skills that Ofcom does not possess. Can he give any greater clarity on the consultation timetable? I appreciate that the legislation is more difficult, but it would be helpful for the House to have an idea of the timeframe for the consultation process.

Finally, turning to Huawei, in the light of the United States’ position and the lack of clarity on entity classification, I entirely understand why the Secretary of State finds it difficult to make a decision at the moment. Clearly, if Huawei is deemed to be such an entity, the reality is that none of those inventing the technology will be able to have any dealings with that company, with long-term consequences for Huawei’s ability to deliver for anybody. That having been said, will the Secretary of State assure the House that this will not be used as an excuse for can kicking? I think that once the 90 days are up, as he may agree, there will be clarity, and the decision must then be made.

My right hon. and learned Friend is right to highlight the ISC’s statement, which has been an important contribution to the debate. As he knows, there is a significant overlap between what it says and the review’s conclusions. On Ofcom’s powers and the resources that must flow with those, I agree that it will be necessary to make sure that Ofcom has the resources to discharge its new duties properly. We will seek to give proper attention to that in the consultation process that is to follow.

On the issue of the timescale for the consultation, my right hon. and learned Friend will understand that we are keen to proceed as quickly as possible. One of the reasons I am addressing the House this afternoon is that had I not done so this week—the House will know that I made a commitment that it would know first when we were in a position to disclose the results of this review—I would be doing it in September at the earliest, and we would be beginning this process some six weeks later than we now can. I hope he recognises that that is an indication of the Government’s intention to proceed as quickly as we can, notwithstanding what he described as an inevitable delay in relation to Huawei specifically.

It is now three months since the national security leak that confirmed that the Government were split over allowing any Huawei involvement in the 5G network, yet it is clear that the Government are still prevaricating, while the US and Australia have been quite vocal about their concerns about the UK Government’s approach. The reality is that this statement is just a lot of words to confirm further delay. Why are the decisions now being left in the gift of the new Prime Minister? Is this just another case of putting the Tory party before the country?

When will we learn the proper definitions of core and non-core network? What happens if there is a legal challenge to the definitions? Would an outright ban not simply be more robust and effective? Further, if the Government continue to progress down the route of identifying core and non-core network, what controls and oversights will there be to ensure that there is no technological solution that allows Huawei to retrieve any data from the core network, if it is allowed to be involved in future?

What assessment has been made of the existing contracts that Huawei has, including its involvement in EE’s existing 5G roll-out to seven cities across the UK? Does not the existence of those contracts show how far behind the curve the UK Government are in taking action? It is a bit too late to be using the word “urgency”. How long will it be before the proposed telecoms security requirements are in statute, given the failures that have been identified? When will guidance be published for the voluntary code that the Secretary of State referred to? What will the Government do to create the desired diversification policy that was outlined in the statement?

Another Chinese company with security risks is ZTE. Have the Government made any risk assessments about the fact that ZTE has been picked to construct a 5G network in Jersey? What is the current status of ZTE’s partnership with BT, and has that been reviewed? Have there been wider Cabinet discussions on Chinese involvement in Hinkley Point C and the reliance on Chinese development to get the station operational? What security risks does that pose? Does this not show that the Government need much more of a bigger-picture approach, rather than the silo approach that is happening at present?

The hon. Gentleman has asked a number of questions; let me try to deal with as many of them as I can.

On the hon. Gentleman’s last point about Chinese involvement in the wider economy, he will recognise that there is a balance to be struck between welcoming inward investment into our economy, which we do, and wanting to be confident that our security requirements are met. In relation to ZTE, he may know that the Government’s judgment, based on advice from the National Cyber Security Centre, is that ZTE should not have engagement particularly in the 5G communications network, which is the subject of this review and this statement.

On the hon. Gentleman’s earlier points, he describes what I am announcing as prevarication. I hope that I have been straightforward in accepting that there is a delay, and I have explained the reasons for it in relation to Huawei. I do not believe that it would be sensible, responsible or helpful to anyone, including the telecoms industry, were I to give a partial decision today when I am not in a position to give a complete decision. It follows from that that when the decision comes to be made, there will be a new Prime Minister in office—that is now a little less than 48 hours away—so it is inevitable that that will be the case.

The hon. Gentleman mentioned a legal challenge. As you would expect me to say, Mr Speaker, from a former life I am always aware of the possibility of legal challenge. In my experience, it is always a possibility, but the way that we can best insulate against it is to reach sensible decisions based on defensible criteria. Again, the best way to do that is to make sure that we have all the information that we need before we make a decision of this kind. That is precisely what the Government propose to do.

It is, of course, a possibility—and remains so—that the Government may decide that an outright ban on Huawei equipment in the 5G network is the appropriate course of action. All I say today is that we are not yet in a position to make a comprehensive decision about that. As soon as we are, we will, but the hon. Gentleman has my assurance—as I indicated to the Opposition spokesman, the hon. Member for West Bromwich East (Tom Watson)—that the decision that we take will be, first and foremost, in the interests of the United Kingdom, and that security interests and our national security equities will be the most important consideration in that.

The hon. Member for Kilmarnock and Loudoun (Alan Brown) suggests that the actions that we are taking are behind the curve internationally. That is not so. If we produce telecoms security requirements in the way that we propose, they will be world-leading measures, and we should be proud of that. We will legislate for them as soon as we are able to do so.

The hon. Gentleman asked for more detail about what diversification of the supply chain might involve. Let me give him some possible examples. We are talking about measures such as improved access to spectrum and the promotion of new infrastructure models. He will be aware of the £200 million 5G test beds and trials programme, which we believe will support new investment, and we can and should pursue greater interoperability for equipment from different suppliers, including by requiring this in technical standards. Of course, the Government can use their buying power to promote a diverse supplier base. We should do all those things in addition to seeking to invite existing, established suppliers to come into the UK market, where they are not already present.

Does this mean a delay in the roll-out of 5G to constituents in Wokingham and elsewhere? If so, how long a delay are we talking about?

The commercial decisions that mobile network operators are making now about what equipment to buy are part of a continuing process. All those mobile network operators will need to consider carefully the position I have outlined today and make the appropriate commercial judgments, but we are seeking to move as quickly as we reasonably can to give them the clarity they need to continue making those investments.

Will the Secretary of State confirm that the assessment of the National Cyber Security Centre is that the risk posed by Huawei equipment to the security of the 5G network is manageable and that that assessment is based on long experience and the unique experience of working with Huawei over 10 years, looking carefully at every Huawei product that comes on to the UK market? What is his estimate of the impact on the speed of 5G roll-out, which was rightly highlighted by my hon. Friend the Member for West Bromwich East (Tom Watson) as a critical question, of excluding Huawei equipment from that network?

The right hon. Gentleman is right to talk about managed risk. He will recognise that we have been managing the risk presented by Huawei’s specific circumstances within the 4G network for some considerable time. He is also right, of course, that we have to consider the potential delay to the roll-out caused by any measures we decide are necessary. I repeat that the most important criterion is that we act in our national security interest. If that causes delay, it may well still be the appropriate course of action, but we will need to decide that when we are in possession of all the facts. He has my assurance that when we do that we will make the most balanced judgment we can. As I said to my right hon. Friend the Member for Wokingham (John Redwood), all commercial operators will need to take account not just of what we have said today but of what they already know about the position in the United States and elsewhere.

Does the Secretary of State accept that the phrase “manageable risk” is almost a contradiction in terms, because if it were fully manageable, it would not be a risk? Is he not absolutely right not to be taking a decision with such profound security implications for our future in the dying few hours of an outgoing prime ministerial Administration? Finally, does he accept that unlike other suppliers, which, it is true, may have contaminated supply chains themselves, Huawei is unique in being subject to article 14 of China’s national intelligence law, passed in June 2017, which empowers the intelligence agencies of the Chinese state to

“request the relevant organs, organisations and civilians to provide necessary support, assistance and cooperation”

to those intelligence services? We would be mad to enter into a direct security relationship with the agencies of a totalitarian communist state.

I am grateful for my right hon. Friend’s comments. Of course, he is right that we should take no risks that are not manageable. Once we are in possession of all the information we should have, we will have to judge whether we are capable of managing the appropriate risk effectively. If we are not, it is a risk that we should not take. On that I entirely agree, but that decision has not yet been taken.

My right hon. Friend is right to highlight the Chinese law—it is what makes Huawei different from many other suppliers in the network—but I repeat the point I made a moment ago: a process for managing that risk has been in place for some considerable time. So far as delay is concerned, I repeat that in my judgment the right way to proceed is to delay only until we are in possession of the facts and information necessary to make the right judgment. That is the process we will undertake.

The Intelligence and Security Committee issued a statement on Friday saying that the UK network had to be built in such a way as to withstand attack from any quarter. The Secretary of State knows that only Nokia, Ericsson and Huawei can provide the 5G required for the UK’s use. While his noble aspiration is to pursue targeted diversification, is that realistic given the three potential suppliers? Should we not have a resilient service that can meet any potential threat within any of those three suppliers, rather than the desperation of simple diversity?

The right hon. Gentleman is right, but they are not mutually exclusive. We can and should do both. Diversification will not happen overnight, which is one reason I want to proceed as swiftly as possible with that track. It will take time for us to develop diversification in the market, but none the less we should seek to do so in the longer term. In the shorter term, he is also right—he knows this from his ISC work—that part of the reason we want a larger number of suppliers in the system is not simply that that is commercially and economically beneficial, but that there is a security benefit. Having several different suppliers’ equipment in the system helps to prevent overdependence on any one supplier’s equipment. That is an obvious security imperative. We should do that. It is part of the calculation we make about the security imperative in this decision.

Given the fundamental issue of security, which for many of us here must override all the other interests, I congratulate my right hon. and learned Friend on this statement on a new security framework, particularly since it will be a much stronger security-based regime than that which exists at present.

I am very grateful for my right hon. Friend’s support. As he knows, my clear intent in commissioning the review was to focus first and foremost on security. No other consideration comes ahead of security. Fundamentally, we must make a decision on the basis of what is in our security interests, but he is also right that if we were to focus solely on one company or country, we would miss the broader important point that our telecoms supply chain must be resilient and secure, regardless of where equipment comes from, because risk may transfer from place to place and our population is entitled to expect that the approach we take puts security at its heart, wherever the equipment comes from.

It is essential that the national security implications of using Huawei equipment be fully taken into account, but what consideration, if any, is given to the use of Huawei equipment in the repression of Uyghurs? Do the UK Government take that and the use of similar equipment by other manufacturers from China into account?

I know that the right hon. Gentleman regularly raises this issue with colleagues from the Foreign Office. As he knows, we are concerned about it across Government. It is important that the UK Government, in their communications with the Chinese Government, stress the importance of human rights and their protections for minorities as well as for majority populations in China, and we will continue to do that. The judgments we make in this review will not diminish the UK Government’s enthusiasm for making that case.

Given that Huawei is to all intents part of the Chinese state, given that China has extensive history of intellectual property theft, data theft, cyber-attacks and the development of a surveillance state in parts of its own country, given that it is building up a dominant position in advanced comms that will eventually put Nokia, Samsung and others out of business, given the increased warnings of the Cell, and given our Five Eyes colleagues’ positions, does the Secretary of State agree that having any tech from one-party authoritarian states in our critical national infrastructure raises difficult and potentially insurmountable obstacles when it comes to data protection and protecting our human rights, the rule of law, our value system in the 21st century and security?

I certainly think that my hon. Friend’s description justifies his reference to difficult issues. As for whether they are insurmountable, if he will forgive me I will not answer that question, because it would predetermine the outcome of the review that still has to happen specifically in relation to Huawei. However, all the points that he has made are proper for consideration as we make that decision.

May I take the question asked by the right hon. Member for Carshalton and Wallington (Tom Brake) a little further? A million Uyghurs are languishing in concentration camps in Xinjiang, and the people of that province are under constant surveillance with the connivance of Huawei in the regime. All of us—especially those of us who are members of the Select Committee on Defence—are aware of the security risks of the project, but the Secretary of State and the Government have yet to answer a more fundamental question. Why should they reward a company that has been complicit in creating an authoritarian, dystopian Xinjiang with such a large Government contract?

As I said to the right hon. Member for Carshalton and Wallington, the UK Government are not uninterested in this subject; far from it. The hon. Gentleman will understand, however, that the parameters of the review that we are undertaking here relate to what measures it is sensible to take to protect our security interests within the UK telecoms network. Elsewhere in the Government, we continue to take a strong interest in the welfare of minorities in China and elsewhere, and to make strong representations thereon.

I welcome the statement, and, in particular, what my right hon. and learned Friend said about the new national security framework for telecoms. Does he agree, however, that that framework needs to reflect the rapidly changing technological landscape in which we are operating, and needs to be properly resourced to be effective and serve its purpose?

Yes, I do agree with my hon. Friend. I think that both those points are important. We need to build the framework in a way that enables it to adapt as the technology develops, and we will seek to do that. He will have heard me say that we intend to consult on the specifics of the telecoms security requirements. The matter will then come to the House, because we will need to legislate for the powers that will be necessary for both the Government and Ofcom to enforce those requirements.