Telecommunications (Security) Bill (Third sitting)
The Committee consisted of the following Members:
Chairs: † Mr Philip Hollobone, Steve McCabe
† Britcliffe, Sara (Hyndburn) (Con)
Cates, Miriam (Penistone and Stocksbridge) (Con)
† Caulfield, Maria (Lewes) (Con)
Clark, Feryal (Enfield North) (Lab)
Crawley, Angela (Lanark and Hamilton East) (SNP)
† Johnston, David (Wantage) (Con)
† Jones, Mr Kevan (North Durham) (Lab)
† Lamont, John (Berwickshire, Roxburgh and Selkirk) (Con)
† Matheson, Christian (City of Chester) (Lab)
† Onwurah, Chi (Newcastle upon Tyne Central) (Lab)
† Richardson, Angela (Guildford) (Con)
† Russell, Dean (Watford) (Con)
† Sunderland, James (Bracknell) (Con)
Thomson, Richard (Gordon) (SNP)
† Warman, Matt (Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport)
† West, Catherine (Hornsey and Wood Green) (Lab)
† Wild, James (North West Norfolk) (Con)
Sarah Thatcher, Huw Yardley, Yohanna Sallberg, Committee Clerks
† attended the Committee
Professor William Webb, CEO, Webb Search
Emily Taylor, Chief Executive, Oxford Information Labs
Dr Alexi Drew, Research Associate at the Centre for Science and Security Studies, Kings College, London
Simon Saunders, Director of Emerging Technology, Ofcom
Linsey Fussell, Group Director for Networks and Communications
Public Bill Committee
Tuesday 19 January 2021
[Mr Philip Hollobone in the Chair]
Telecommunications (Security) Bill
The Committee deliberated in private.
Examination of Witnesses
Professor William Webb and Emily Taylor gave evidence.
We now resume the public sitting. Welcome to our third session of oral evidence on the Bill. All our witnesses today will be giving evidence by video link.
Before calling the first panel of witnesses, I remind all Members that questions should be limited to matters within the scope of the Bill, and that we must stick to the timings in the programme motion that the Committee has agreed. For the first panel, we have until 10 minutes past 10 o’clock.
I now call the first panel of witnesses: Professor William Webb, CEO of Webb Search, and Emily Taylor, chief executive of Oxford Information Labs. Would you please be kind enough to introduce yourselves for the record and make a brief opening statement? We will start—ladies first—with Emily Taylor.
Emily Taylor: Thank you, Mr Hollobone. Good morning. My name is Emily Taylor. I am a lawyer by training. I have worked in the internet environment for more than 20 years. I am CEO of Oxford Information Labs, a cyber-intelligence consultancy. We are actively involved in standards organisations such as the International Telecommunication Union. I have authored papers on 5G and geopolitics, and on China’s efforts to standardise a new internet. I am an associate fellow at Chatham House, editor of the Journal of Cyber Policy and a research associate at the Oxford Internet Institute.
I have listened to the evidence that you have heard so far, and in three areas I think I can bring new information or offer alternative perspectives to the Committee. Those are: why standards matter and what China is doing in standards; the need for a holistic approach to minimising cyber-security risks across critical national infrastructure and especially supply chains; and the China containment strategy and whether there might be more positive alternatives. I have several drafting points to make about the Bill itself, which I am happy to explore with you if time allows. I am of course happy to answer any other questions that you would like to put to me, within my capabilities.
Thank you very much. Professor William Webb?
Professor Webb: My name is William Webb. I am an engineer by background. I have worked as a telecoms consultant for many years, and that is what I do now, advising regulators, operators and manufacturers around the globe. Most relevant to this Committee is perhaps that I spent seven years at Ofcom, helping it with radio spectrum and technology strategy. I spent 18 months at the Department for Digital, Culture, Media and Sport, helping it with its 5G programme. I have also co-founded a start-up in the telecoms space, so I understand that area.
Potentially, I can help the Committee on the security side by looking at whether we can be sure that we are being proportionate in our response to security issues. I can certainly help on the diversification side by talking a little about the strategies of operators, the potential role of open radio access networks and other such diversification strategies, and perhaps some of the better ways to deliver diversification in the future.
Thank you very much indeed. I am now in Members’ hands. Who would like to be first out of the blocks? Kevan Jones.
Emily Taylor: Thank you very much for those questions. The first aspect is why standards are important. Standards development can be very long, drawn-out and not the most interesting thing to participate in, but they are vital both for our security going forward and as part of the diversification strategy. Dominance or over-reliance on a small number of players is bad for innovation, security and procurement. It is great to see the importance of standards coming through in the diversification strategy that has been published. Although standards can take many years to be created, they also hang around for many years, so if we miss the boat with a particular standard when it is critical to a new industry or technology, that can have a lasting effect on our domestic and international industries.
Many scholars, such as Laura DeNardis, have pointed out that technology is not neutral, and this really applies in standards. By accident or design, standards embed the attitudes, values and world view of the engineers who create them. That has not really been a problem for western countries to date, because the US and European participants have tended to dominate, but going forward we need to find a new way of coping and co-existing with a technological superpower that does not share our values and that has invested heavily, with a strategic approach to standards, for several years.
You asked who the leading players are in standards, and in particular you alluded to the role of China. It is quite telling to reflect on the number of leadership positions across the standards organisations environment currently held by Chinese nationals. Of course there are many standards organisations, including the Internet Engineering Task Force, the International Telecommun-ication Union, which sits within the UN, and bodies such as 3GPP—the 3rd Generation Partnership Project—and the European Telecommunication Standards Institute. The Chinese players we see, not just from the Government but industry, include Huawei, Futurewei, ZTE, China Mobile, China Academy of Telecommunications Technology, and Tencent. All of them are active in standards.
The ITU is headed by a Chinese national, and of 11 working groups within the ITU’s Telecommunication Standardisation Sector, or ITU-T, China has a chair or vice-chair in 10, and a total of 25 positions at chair or vice-chair; 135 so-called “questions”, which are sort of agenda items across those working groups; and 87 rapporteurs. I could go on, but I think the point is made.
On where we are with a D10, as you know, the Defence Committee has quite majored on the idea of a D10—indeed, the idea has been going around for several years. The key element as I understand it is a recognition that this country needs to act with others to have a chance of having the coverage and investment that China has had, and that there are like-minded countries that we can partner with across standards, and also to reinvest in domestic or shared capability for manufacturing. Manufacturing has been leaving western countries for more than 30 years and we are now seeing the effect of that. It is all very well to worry about the rise of China, but if at the same time you are asking China to make absolutely everything, it is inevitable that there will be some technology transfer.
Of course, the D10 does not exist. The idea of a Five Eyes type of thing that would also morph into an economic and legal type of partnership also does not exist. Five Eyes is an intelligence-sharing network, not an economic bloc or a trading bloc. So there are challenges, but there are also opportunities for partnerships.
Emily Taylor: It is a bit like waking up halfway through a chess game and realising that you are about three moves away from checkmate. I think we have taken the eye off the ball, although the UK has been strong on standards and has invested in them, but we cannot match China, where we see the fruits of a patient long-term strategy. It is all laid out in the “China Standards 2035” document, but some people in working groups say that they get more than 100 papers to deal with just before a meeting.
There is a sense that we are losing a grip. Part of that is that we did not realise how far standards embed our values until we started to see the alternatives. New IP is something that we have been writing about and studying over the last year. That is China’s efforts to standardise effectively an alternative architecture for the internet, which would not be compatible with what we have today. That is at quite an advanced state across numerous working groups within the ITU.
Professor Webb, would you like to respond?
Professor Webb: I certainly agree with all that. I have written standards myself and even run a standards body, so I know how they work. The important point is that it is not possible for a Government just to say, “We are going to influence that standard.” Standards are influenced by the working papers written by the companies that attend the standards body. The UK Government themselves could not really have an influence, and nor could a university or any other organisation like that, not unless they spent inordinate amounts of money and hired a lot of people to write a lot of papers. There needs to be a concerted global or western European effort, or some kind of larger scale activity that can help the larger companies with the resources and expertise and the standards bodies to step up their efforts.
Professor Webb: I think the Bill is fine when it comes to potentially delivering the security desires. It seems to be a very flexible Bill and has the capability to do all those kinds of things. My key worry is more one of proportionality. The Bill essentially says everything must be done to make sure that networks are completely secure. Of course, security is extremely important, but we could have a situation where there is a very tiny risk of some security breach but the mitigation is inordinately expensive, and that might result in higher consumer costs for mobile phones.
Ofcom will need to weigh up that proportionality and make sure its response is correctly balanced, but I do not see that in the Bill. I worry that the risk aversion that I think will happen automatically with the regulator may result in excessive security measures that penalise consumers when they are not particularly necessary. That is my biggest concern looking at the current structure.
Emily Taylor: I agree with William’s overview of the Bill. It is great to see that the industry welcomes it. We heard from Ciaran Martin yesterday in his evidence to the National Security Strategy Committee that industry asked for this, because it had reached the limit of what it could do on a voluntary basis. It is great that it will lead to substantial investments and security. The telecoms security requirements are almost a recipe book—a very clear set of instructions on how to build more secure networks, which is great, particularly the focus on securing the management plane.
However, as William has described, in certain scenarios, there are almost unlimited liabilities for providers, not just to their customers, but to every person who could be affected by a contravention under clause 8. The inspection notices give very wide powers, including entry to premises, and the provider pays for that, so there is not much incentive for Ofcom as the regulator to think about whether this is justified value-for-money-wise and how to target interventions. I could go on, but the other question I have is about Ofcom’s capacity in this sector, because it will have to acquire a very specific set of skills and capabilitie,s and that will require substantial investment and learning as an organisation as well.
I have a couple of questions, starting with you, William. We heard from Mavenir on Thursday that open RAN could provide 2G, 3G, 4G and 5G networks now, but the operators were not looking to purchase networks from it. What is your view on the accuracy of that statement and the maturity of open RAN? What challenges does that pose with regard to the diversification strategy set out by the diversification taskforce?
Professor Webb: Thank you, Chi. I am sure Mavenir is correct that it can sell equipment that can do 2G, 3G, 4G and 5G, but that is not sufficient for an existing operator. If an operator wants to put this equipment into its network, it needs to work with its network diagnostic systems; it needs to handle all of the various features that it might deliver to customers, businesses or whatever, or that it might use for optimising its network or the various software systems that it has. It has built these up over 20 or 30 years, so adding in the equipment is a lot more than simply ticking the box and saying that it can transmit 2G or 3G. That takes quite some time, particularly with the more complex base stations that we find in city centres. The ones in rural areas are typically much simpler and less problematic if they go wrong. That is why we see people like Vodafone trialling open RAN in those places.
Although Mavenir has all the ticks in the boxes, it does not yet have work-through with the operators to deliver something that really works for all of its network. As we have heard from the operators, that is a long, slow process. The operators are rightly risk averse—they do not want to rush out a whole load of equipment and for their networks to fail after a few months, with all the problems that that would have for consumers. So it seems to me that we are still some time away—I think the operators have said five, six or maybe seven years—from any significant deployment of open RAN. That sounds very plausible to me as a strategy for evolving a network. Of course, by the time you get to that point, they will have deployed most of their 5G network already, so it feels as though open RAN will be too little too late to have a significant impact on diversifying the 5G networks that we have in this country and that we will have for the next few years.
Professor Webb: If I wanted to diversify, I would instruct the telecoms operators to diversify. I would not try and pull the levers one step removed. I would say to the telecoms operators, either with a carrot or a stick, “You must diversify. If you have x number of vendors in your network, I will give you £x million as a carrot.” The stick might be some kind of licence condition that said, “In order to meet your licence, you have to have at least x number of vendors in your network.” That seems to me to be the way to pull through, and then the operators can decide whether they want ORAN, something like NEC or Samsung or someone like that. They can make that choice and that will pull through the decisions to them, rather than the Government trying to decide on their behalf what the best technology for them to use might be.
Emily Taylor: Thank you very much for those questions. As a general point about the cyber-security of critical national infrastructure, I feel a little like we have been fetishising 5G and a single company for the last two years, perhaps at the expense of a more holistic awareness of systemic cyber-security risks. Ciaran Martin spoke eloquently yesterday about the need for flexibility in what critical national infrastructure is. The last year has shown us that what is critical very much depends on what you are going through at the time. Healthcare systems probably would not have been top of the list two years ago, but now they are. The SolarWinds attack shows that the identity of the vendor is not always the key risk point. SolarWinds is a very trusted vendor from a like-minded, close ally country, and yet it turns out to be a critical single point of failure across key, very sensitive Government Departments, both in the US and the UK.
Thank you for talking about consolidation across cloud services, Chi. One of my reflections on open RAN is that, although, of course, I am excited at the idea of open, interoperable standards, which would prevent vendor blocking, most of my experience has been in the internet environment rather than the mobile environment, and we are replete with open, interoperable standards, but we have a major competition problem. That in itself is not going to be enough of a lever to secure diversification.
On the point about acquisitions, particularly where you have cutting-edge technologies coming through, this country is really good at R&D—we have wonderful universities full of very brainy people who are creating things—but there does not seem to be the follow-through to create world-beating companies that can compete across the world stage. Why is that? It is because they either get sold to the US or to China. Of course, the foreign investment security strategies are all part of this as well, but you make a key point. If Amazon Web Services was sold to a frenemy country, that would potentially introduce the same kind of, at least theoretical, security risks that we have been troubled by over Huawei and 5G.
It is also the case that consolidation of infrastructure providers, like the cloud providers, is a security risk, because they become too big to fail. There was a brief outage of Google just before Christmas, and people just cannot work. When Cloudflare or Dyn go down, they introduce massive outages, particularly at a point where we are all so reliant on technology to do our work. These are security risks, and that highlights the need for a flexible approach. You have to be looking across all sectors.
Emily Taylor: Generally, our standard of security across the board is not as high as it should be.
Professor Webb: I realise that Chi had also asked me how the UK can strengthen its ability to provide diversified supply chains, and I did not address that.
I want to pick up on something Emily said as well. I think she is absolutely right—the UK has a great number of really excellent engineers, both in universities and in leading consultancy-type organisations. Here in Cambridge there is a plethora of wonderful consultancies and start-up companies. In my experience, the biggest problem is actually finance. To try to raise the finance to get a start-up company off the ground, particularly one that sells to operators who have huge purchasing power and tend to squeeze all their vendors—quite naturally—is very difficult in the UK. It is much easier in the US. Addressing the ability to provide finance for those kinds of entities and, to Emily’s point, allowing them to exist for many years rather than to be bought as part of that financial process would help more than anything else, for the UK to grow its own major players in this space.
Professor Webb: Yes, I think there is a balance. I do not have strong views on that. The legislation appears to be sufficient and flexible in this space. I think the issue is the way it is implemented, and particularly the downstream actions of the Government and of Ofcom might need a bit more care.
Emily Taylor: The legislation is creating a framework, and a lot of that will be filled out through statutory instrument and the codes of practice that are envisioned. I imagine the codes of practice will reflect the TSRs to a large degree. Thinking particularly about how the legislation might impact on the wish and the essential need to diversify, it imposes very high levels of liability for providers, and almost unlimited duties on everybody for the smallest infractions. That is William Webb’s point about proportionality.
As the measures come to life through secondary legislation, codes of practice and the actions of Ofcom, it is going to be very important that there are checks and balances. I am not sure whether the Committee is hearing from any civil society groups, but I am sure they would be worried about the very wide discretion for the Secretary of State. There is a lot of concentration of power in the Secretary of State and, perhaps, insufficient safeguards, as things are currently drafted.
Also, on the provisions that relate to the identity of the supplier—the nationality—rather than the qualities of security, which I think are the more relevant points, of course identity and nationality can be relevant, but there may need to be more of a look there to ensure that we are on the right side of potential risks of discrimination.
Emily Taylor: I think that was a question to Professor Webb.
You will both get a chance. We will go to Professor Webb.
Professor Webb: I am certainly all in favour of placing the requirements on those best placed to deliver them. For diversification, that is certainly the operators. I talked a bit about how you could, for example, offer them some financial incentive to have a more diversified supplier base. That would make some kind of sense, given that this would add costs to their management of the network.
In terms of security, I think it is a bit more difficult to see how that one might follow. I can imagine that there might be certain security issues where, for example, the decision might be made that a replacement is needed for a certain component in the network, or that they need to purchase some additional elements, and then you might imagine that it might help to have some sort of financial incentive to do that. But I think that would be on more of a case-by-case basis—I cannot see a clear, catch-all type of approach that would enable that.
Emily Taylor: I very much agree with what Professor Webb has said. Indeed, one of my reflections on the draft Bill is that it is very much at the stick end rather than the carrot end. Maybe we will start to see a bit more of the incentives coming through as the detail is filled out. But I think that thinking about incentives would very much reflect the close working relationship that there has historically been between the industry and Government. That is not the case in every country; it is actually a benefit in this case.
Security is expensive, and it is also long term. The telecoms supply chain review last year put it very accurately: the market does not reward investment in security—quite the opposite—so I would hope that there would be some recognition from Government about what is needed. I do not think that the investment in the diversification strategy is nearly going to match the investment that is required by the mobile providers who—yes, they are very successful large companies—have not had the great decade that, say, the Googles of the world have had in terms of their margins. So you are asking an already squeezed sector to make substantial investments, and I think that is the place where you could be looking at incentives.
There is one way of looking at this legislation, which is that it can provide a market-led opening for suppliers, in a market that is no longer, in the long term, going to be distorted by, for example, Huawei, with its state backing. Is there any evidence, therefore, that other suppliers—first tier and lower suppliers—are looking at this and thinking, “There is a chance here to get back into the game”?
Ms Taylor, you talked about security being quite a difficult and expensive barrier to overcome, but are there any discussions in the wider sector about there being an opportunity to be had here, or about whether, actually, a stronger diversification strategy is necessary?
Emily Taylor: The initiative is welcome—the diversification strategy is welcome—but, as Professor Webb has described, there are many barriers to entry for new suppliers. To build out an entire country’s network requires substantial scale, and, very understandably, the operators are risk-averse. You cannot just turn up and build out a network; open RAN is exciting, but, as you have heard from witnesses—and this morning, from Professor Webb—it is not ready, yet, to build out an entire country.
Also, the market distortions can still happen despite a diversification strategy. You can well imagine that the companies that decide it is attractive to enter this market are not, perhaps, the cheeky start-ups that you would want to encourage; they would be already dominant in other sectors. Imagine if we were sitting here, in five or 10 years’ time, lamenting the fact that the equipment market is now dominated by Microsoft and Google. I am just making that up as a hypothetical example—I have no knowledge to back that up—but those are the companies that have the sufficient scale and skills, and as Chi Onwurah said in her question we are moving to a more hybrid network, where skills in cloud computing and software are going to define the success of the player.
Professor Webb: If you want to encourage a new entrant—be that a company that has some skills in this space but is upping its game to develop a complete system, or a brand-new company—they have got to develop the equipment, and that involves developing a lot of software and hardware, and an awful lot of effort and investment. If you add yet more requirements on them—for example, security requirements—that makes their effort even harder; it makes it even harder for new entrants to compete with existing players, who have already made much of that investment, to have the scale and capability to add on that extra. Adding security is the right thing to do—I am not criticising that—but the implication is that it will make it harder to diversify the supply chain. What you want to do is make it as easy as possible for new entrants, with the minimum requirements on equipment, if you want to bring a larger number in.
Professor Webb: I am not sure it would quite work like that. I think the operators would always want to procure to a certain security standard, whether there is legislation or not, so everyone would have to get to that standard. Raising the standards bar would essentially require everyone to move up higher above that bar.
Emily Taylor: If I may, just to support Professor Webb’s point, the security standards do not level the playing field, although they are the right thing to do. In just the same way as we have seen some of the perverse consequences of, say, GDPR, the companies that have the scale and capacity to absorb the cost of compliance fare better than the smaller companies, who really do not have the scale and capability. The disincentive to enter the market, or perhaps the incentive to exit the market, as a result of these requirements, hits precisely the type of companies that you want to encourage, although it is welcome to see some recognition of that in the factsheets, with the tiering system. The third tier would probably let the smaller independent ISPs and providers off the hook. It is not quite correct to view it as the security requirements levelling the playing field. They are definitely required, and the market is not delivering that, but it will require close monitoring, I think, to ensure that there is still a competitive market.
Finally, could you sum up the chat around the sector at the moment? I get the impression that you are suggesting there is still a way to go to bring confidence that we can diversify across the broad range of the sector, as a result of this proposed legislation, and that there is still more reassurance and consultation required.
Professor Webb: Certainly, as I look at the information that I get back on ORAN, there is a lot more scepticism than optimism throughout the sector about its ability to do anything in the short term. We have talked a bit about why that is the case.
There is potentially more promise from the vendors that are somewhat established—the Samsungs and the NECs—and there is generally better comment about their ability to do something. If I had to look at what I am seeing around the industry and bring some advice, it would be focused on those vendors, rather than ORAN, as the most likely source of diversification over the next few years.
Emily Taylor: I can talk about the feedback that I have been getting. I come from a segment of the internet environment that has not historically been highly regulated at all. I would reflect that, if this Bill were brought forward to cover that sector, you would hear the screams. One thing that has really surprised me, and reassured me to a certain extent—it came through in the evidence you have heard—is that there is a degree of comfort with the direction of travel, and I think that speaks to the strong relationship that the industry has with Government on that.
We have five minutes left; I am afraid there is a hard stop at 10 minutes past 10 o’clock. Two Members are seeking to ask questions, so would our witnesses treat this as a quickfire round, with punchy, pithy responses?
Professor Webb: I think that has already been mooted. I doubt Ofcom has that capability at the moment. In principle, it could acquire it and hire people who have that expertise, but the need for secrecy in many of these areas is always going to mean that we are better off with one centre of excellence, where the threats are analysed, assessed and understood. We have that, of course, in NCSC.
NCSC would advise Ofcom, perhaps at a high level. Perhaps they would not need to detail exactly what the issue was, but they could talk to Ofcom about the mitigation, and Ofcom could be the entity that performs the proportionality of understanding whether a threat needs to be addressed and to what extent, in the midst of all the other things. That is how I would arrange these organisations.
Emily Taylor: Thank you for this question, which goes to both the capabilities and the culture. With the capabilities, as I have said in earlier remarks, Ofcom is going to need to upskill. In reality, as Professor Webb has said, they are going to be reliant on expert advice from NCSC, at least in the medium term, until there is a significant transfer of skills and technology, and in terms of the need for secrecy and a broader view.
Ofcom’s historical role has been much less interventionist than is foreseen in this piece of legislation. Those cultural changes go deep into the organisation and into the character of the people who work there. Cultural change is always difficult and takes time, so I would not underestimate the challenge.
You have about 30 seconds each, I am afraid.
Emily Taylor: I think it was inevitable after the US sanctions on semiconductor chips. It is something I regret, because the more difficult part is what we had being trying to do for 17 years, which is to treat all the networks as potentially vulnerable and adopt an evidence-based approach.
I do not think there is a going back from there. Unfortunately, the effect of the US sanctions has not just been on our domestic market. It will have hardened the resolve of China to have an entirely indigenous supply chain, and therefore will hasten exactly the outcomes that it is intended to avoid. We need a much more positive approach, investing in innovation and research, matching the capability and advocating for the benefits for a single, open and free internet.
Professor Webb: I do not have strong views. I think it depends, but clearly if it is high risk then it is probably appropriate to exclude them. The worry I have is that you end up focusing predominantly on vendors that you think are high risk, rather than on the overall security challenge, which will be across all vendors.
May I thank both our witnesses very much indeed for your informative evidence this morning, and for giving us the benefit of your wisdom and expertise? We are very grateful to you. That brings us to the end of the time allotted for the Committee to ask questions in the first session.
Examination of Witness
Dr Alexi Drew gave evidence.
We now move on to our next panel, which is a solo performance from Dr Alexi Drew, research associate at the Centre for Science and Security Studies at King’s College London. Good morning, Dr Drew. Would you be kind enough to introduce yourself and make a brief introductory statement?
Dr Drew: Good morning, and thank you for inviting me to present and give evidence as part of this Committee. My name is, as stated, Dr Alexi Drew. I have actually recently changed my position. I currently work at the Policy Institute at King’s College London, and my area of research is emerging technologies and their security and geopolitical implications. I have done a few pieces on Huawei in particular and the implications of supply chain security issues and risks, with publications in the Financial Times and so on, and that is why I find myself in your company today, I believe.
Thank you very much indeed. I am in the hands of Members. Who would like to ask the first question?
Dr Drew: I think the bigger picture is bigger than purely telecoms when it comes to China. China treats all its emerging technologies and its advancement of technologies—including telecoms, artificial intelligence and quantum research—as part of a broader means of advancing its influence, its economic strength and its geopolitical power on a global, regional and domestic stage.
Telecoms is a large component of that predominantly because, as I am sure you are all aware, the future of telecoms is essentially the provision of what will be the backbone of most of those other technologies; you require a good, advanced telecoms network to gain the full benefits of applications of artificial intelligence or quantum networking, for example. I think China and the CCP have essentially seen that telecoms is a key component of that and have thus done as much as they can both to strengthen the sector within China, and to export that to gain further routes for the future stages of implementing more technological growth and economic and political growth through the next stages of their emerging technology portfolio.
Dr Drew: I would say that is definitely the case. It is market domination primarily for domestic, good use: it is a mistake to think of all that China generally does as primarily internationally orientated. The primary interest is domestic strength, security and stability. The fact that that can be achieved through gaining dominance in markets outside China is an added benefit.
Dr Drew: It is very similar. That is a great point to make. Pretty much wherever you see belt and road initiatives in, say, a port or supply chain of a physical good, you will see simultaneous investment and market input in a telecoms sense. There is a digital silk road as much as there is a belt and road initiative in the physical goods and supply chain sense.
They are becoming increasingly entwined fields; 10, maybe 15 years ago you could easily have seen a distinct separation between the physical supply chain and the digital supply chain. That differentiation is fading as we progress through time, and I think the Chinese have worked that out perhaps faster than we have and they are rapidly making inroads in order to amplify that effect and gain the benefits of it.
Also, you have great experience in evolving security threats. In your view, does the Bill address major telecommunications threats to national security—future and evolving threats? For example, do you think this Bill would have helped to mitigate the impact of the recent SolarWinds Orion network monitoring hack, which was also mentioned by a previous witness?
Dr Drew: I will start with the question of values. I am a great believer that technology and values and norms of behaviour are implicitly connected: you cannot separate them. It should be explicitly understood that it is an implicit truth. I believe—and I have stated this before to some of your colleagues and civil servants in various Departments—that the CCP has realised that the great firewall of China, which tries to police content within China, has holes in it and is not going to last, or was not going to last, given the direction that the internet, freedom of communication and transfer of information is going.
The next logical step, and what I believe is happening, is that if you cannot control the internet within the great firewall, it is better to be able to shape the internet everywhere, both outside and inside it. I would argue that a lot of the technological standard-setting that you see take place in the ITU and elsewhere is essentially that taking place, as is the use of social media platforms to harvest data, which is then used to aid in the censorship of domestic content within China.
With regard to evolving threats and the Bill specifically, I think that the Bill goes a very long way towards pre-emptively meeting threats that are likely to come in the future. My biggest issue echoes what I caught of the previous witness statements: the fact that it is a matter of capacity for the institutions that are given this responsibility—that is, Ofcom—and the ability to change their culture to actively engage within that framework and take action to ensure these standards are met and kept to. Those are my biggest queries about the ability of this Bill to be as forward-looking as we would like it to be.
Finally, with regard to SolarWinds, I think this Bill is aptly timed in a way, given the context of this particular threat. SolarWinds was a perfect example of a supply chain security risk, and a vector of attack that went through a diverse supply chain to meet what should have been some of the most secure systems that the United States had.
Telecoms will, as I have already said, be the backbone of all the UK’s future advancements of technology in all the things we are seeking to develop within our borders. The hardest thing to do as an attacker is to gain access. We should be making it as hard as possible to gain access; we should be making sure that there is as much oversight and understanding as is possible of where our supply chains go, the standards that they should meet, and whether those standards are being met, and I think this Bill goes some way towards that. I would argue that it needs to be continually updated, checked and maintained. This is not a one-off: times change, and the internet changes faster. Those would pretty much be my recommendations.
Dr Drew: The two essentially go together. If you look at the membership and those who take part in ITU standard setting committees and groups, you will see a predominance of not only state representation from China, but also representation of Chinese companies.
I think it needs to be made clear to our providers the benefits to them of being able to set standards; I believe this has been overlooked. The easiest way to do that is to simply look at some of the technical standards that have been set or lobbied for in this group by companies such as Huawei and ZTE, which are essentially entrenching their technical standards into a global standards body—that obviously gives them an advantage in producing that output. I think our companies could benefit in exactly the same way, and they would certainly benefit from taking part.
On having providers be more proactively involved, I think it would make complete sense for these actors to be made to inform Ofcom, or whichever regulator is chosen, of significant changes to their supply chains. It would be akin to having a black box where we go, “Okay, this black box must output something secure, but we don’t need to know how it gets there.” I think we should know, as much as is possible, who is involved in the supply chains to reach our eventual telecoms network.
Dr Drew: It is undeniable, as the previous witness stated, that this Bill will increase costs and potentially slow down the pace at which development of these technologies, to the standards that are now being asked for, can be done. I have been asked similar questions before about what is the cost of us not getting to 5G roll-out as soon as possible. My general response has been to point out that although 5G is a backbone technology that provides access, we have very few practical applications of the speeds and connectivity that this network will provide us with.
It is something that you might see on your phone, but the increase in speed from having a 5G connection will be almost so fast as to be unnoticeable to the normal user. We have not got to the point where we have large city-wide technologies that will draw on this infrastructure, such as traffic management, health systems and economic production systems.
Although there might be a delay and an increase in cost—which again, I think we should try to meet in a way that incentivises more players to come into this market—I think this delay is not crippling. That is because, at the moment, although the 5G technology itself is maturing, the uses of that technology are still immature and I do not think we are losing out too much if we have a slight delay, with the benefit of reaching greater security.
Dr Drew: I believe they were. I have seen a lot of attempts to quantify the damage or impact of limiting our vendor net, as it were. With the removal of Huawei, I have seen multiple attempts to put a value to that—of the slowdown and having to go to different vendors. I am uncertain as to the accuracy of any of those, and I think that it would be very difficult to put a number on that in any useful sense.
My impression is that there is nothing that should stop us from being able to enact the goals of this Bill and the incentives to diversify the market, while also being able to develop and invest in the next stage of 5G use, which is its actual application, and to marry those two up together in a manner that provides us with both security and financial and economic benefit from putting these systems in place.
Dr Drew: I think what needs to be considered in that question is the type of resources that will be the hardest for Ofcom to acquire. I frankly believe it is not necessarily technology; I believe it is actually personnel. The edge that is given to companies that have already been mentioned in your hearings today—Google, Microsoft, Facebook et al—is not necessarily in the technology, but in those who design the technology. Those people are hard to come by at the level that we require them at. They are also very hard to keep, because once they reach that level of acumen and they have Google, Facebook or Amazon on their CV, they can pretty much choose where they go and, often, how much they ask for in the process.
I think the biggest issue that Government face—not only in Ofcom, but in regards to future technology policy—is attracting and keeping those individuals who can provide the services and understanding, as well as develop the tools, that a future Government will need. If you can demonstrate a way to capture that talent and retain it, I think that would go a long way to soothing any potential questions about whether Ofcom will be capable of meeting the requirements of this and other Bills. This goes across all Departments, I feel.
Dr Drew: Yes. I believe that this is potentially one thing where, as much as possible, greater co-operation between these Departments should be encouraged, to the extent that it is possible to do, given how the security dynamics of the different Departments work. Quite frankly, Government do not have enough of this kind of personnel and expertise. What you do have, you must ensure is used as effectively as possible. That means that you cannot let them languish in one silo or Department, when their expertise would be highly useful in another where suddenly they find themselves dealing with types of issues that are far beyond their normal remit.
I think the Minister is relying on good co-operation between the two organisations, but it is clear from the 2013 ISC report on critical national infrastructure and Huawei that civil servants with a bent for looking at economic development did not have their eye on the ball in terms of security, and they did not even tell Ministers about security concerns that were clear then.
Dr Drew: That is a fantastic question. The best way for me to phrase this is that I believe there is an imbalance that is natural to those who have a particular role within Government or the civil service. Those with responsibility for economic advancement will have a different take on the same issue from those of their colleagues with a security bent to their work.
I find this is a complex topic that needs to be balanced across those different interests. That is why I would generally lean towards co-operation between these groups as opposed to others. I also suspect—although, due to the nature of their work, I cannot be certain—that GCHQ and the NCSC have significant work already, which is only likely to increase. Although they might have the technical capability that Ofcom lacks, I am not sure they have the capacity to take on the sheer volume of work that this is likely to create. I would argue that, actually, more resourcing in general is required for whatever co-operative body is created to carry out the actions of this Bill and other Bills attached to it. That is needed.
Dr Drew: I would agree with you. I believe that the decision needs to be taken on a security level first, because insecurity and the risk of a poorly made decision would have negative impacts on the economic outputs as well. I am not certain that where it is currently vested in this Bill is the best place for it, but I also believe that transparency is the other balancing component here. I have had some conversations with one of the companies mentioned quite predominantly in this literature, and their biggest press is that they feel that decisions are being made with a lack of transparency and a lack of technical justification, and that it is all politics. The best way to solve that is through transparency.
Dr Drew: It potentially could, depending on the type of company that you are attempting to incentivise. It would have a different effect on those potentially two or more categories. If you take one category to be pre-existing companies that previously have not operated within the UK, such as NEC from Japan, they are likely not to be put off to such a great extent—they have already had to deal with some level of security commitment within their normal markets. However, I suggest that it could be more of a barrier to entry for the smaller companies that we are attempting to encourage to get into this market. Emerging companies would find a culture of components and cultural risk to how they view their work, as well as the technical and financial cost of meeting the new standards. Yes, I believe there would be an impact, but it would be different between types of vendors that you are seeking to encourage.
“to further the interests of citizens in relation to communications matters; and to further the interests of consumers in relevant markets, where appropriate by promoting competition.”
Do you think there is an argument to add a further security duty, if that is going to take such a large portion of Ofcom’s capacity?
Dr Drew: As to the second question first, I believe that security should be a component here. In fact, I believe it fits with what Ofcom is likely to be responsible for, and with the Online Harms White Paper as well. Security is fundamentally and inexorably linked with technology, culture and communications in the modern sense, so I believe that it would be important for that to be included as a key provision for DCMS.
With regard to the differences between fixed networks and 5G and the implications of this Bill, in the efficacy of its methodology towards the other, there are technical differences in how 5G operates right now and how we perceive the next generation of telecommunications to operate, but those differences will change over time, I believe. They will become less distinct. It is likely that fixed networks will move towards the concept of computing on the edge, and this is indeed already happening in some senses.
As for the actual efforts to control security risk, I do not see any major differences between telecommunications suppliers and fixed network suppliers. There is the same potential risk. You mentioned the SolarWinds hack earlier. That was a fixed network supplier in a way—it was not telecommunications—but there was the same risk involved and the same means of access, through a diversified chain with limited oversight at Government level, because it is a private sector actor with limited responsibilities. That is as true in that case as it would be for a fixed network with Cisco, and as it would be with a telecoms provider by ZTE, Huawei, Ericsson or any other. I do not think there is a significant technical difference to mean that the goals and direction of this Bill could not, and perhaps should not, be applied to others.
Dr Drew: That is a great question that comes with a very simple answer: no. The worst-case scenario for creating a risk in this sense is when monopoly meets supply chain—in secure supply chain in this case. Arguably, the reason why SolarWinds was so successful is that it provided the same service to so many different organisations and departments in the United States. Therefore, if you access one—SolarWinds—you access almost all. That is the risk.
The same is true in this sense if you transfer these issues to telecommunications or fixed networks. If you have only a single supplier, all it takes is that supplier to be compromised for your whole network to be compromised. As I said earlier, with any form of cyber-attack, the access is always the hardest part if you are the attacker, so if you have an easy target or if the target is just one point, they can throw all their resources at it and it is easier. I would argue that diversification is one of the most basic and probably most effective means of limiting the damage that could be caused in any attack against one of those vectors.
Dr Drew, there are no further questions from Members, so I thank you very much indeed for your time this morning and for sharing your expertise with the Committee.
Dr Drew: It was a pleasure. Thank you.
Examination of Witnesses
Simon Saunders and Lindsey Fussell gave evidence.
We now move to the next panel, which consists of Simon Saunders, director of emerging technology at Ofcom, and Lindsey Fussell—I hope I pronounced that correctly—group director for networks and communications, also from Ofcom. In the previous two sessions we have been talking about you quite a lot, and now is your chance to respond. Could I ask you to introduce yourself and give a brief opening statement, starting with Lindsey?
Lindsey Fussell: Thank you, Chair; that was the correct pronunciation of my name. I am Lindsey Fussell, I am the group director for networks and communication at Ofcom. My group oversees all of our telecoms regulation, including the new responsibilities for network security that we will be talking about today. I am sure we will have a lot of conversation about the nature of our responsibilities, but I think by way of opening I would say that we very much welcome the Bill. The National Cyber Security Centre found in carrying out its telecoms supply chain review that our existing responsibilities and the existing approach that operators took to telecoms security—and our powers as a regulator alongside that—really needed substantial strengthening, so it is great to see that happening in the Bill, giving operators the certainty of what they need to do to promote telecoms security.
Simon Saunders: Good morning, I am Simon Saunders, Ofcom’s director of emerging and online technology. I have worked on mobile network technology since 1991, before there was 1G, all the way through to current work on today’s and future implementations of 5G. Last week we published a round-up of technologies that could form the basis of future 6G networks. I have worked for mobile equipment vendors, operators, large end users and software companies. I founded and chaired an industry association, the Small Cell Forum, where I led a previous initiative on interoperability and open standards—in that case, in 3G—and I have invented a number of mobile technologies.
Today, I lead Ofcom’s technical work on diversification, including Open RAN. I provide technical advice on behalf of Ofcom to the telecoms diversification taskforce. I hope I can help the Committee with issues on diversification, Open RAN and Ofcom’s potential role in that area.
Thank you both very much. James Wild will start the questions, followed by Sara Britcliffe.
Lindsey Fussell: I think I will lead on that one, if that is all right. Thank you for the question. I will start by clarifying Ofcom’s role in the two parts of the Bill—I am sure we will talk about both. We have a significant role in relation to the telecoms security requirements, where we will have the obligation of monitoring and enforcing operators’ compliance against them. In relation to high-risk vendors, our involvement is rather more limited. The Secretary of State will have the power to direct us to collect factual information from the operators, but the question of monitoring, compliance and enforcement then rests with the Secretary of State. I thought it might be helpful to clarify the two different roles before we got going.
In relation to telecoms security, as you say, these are important new responsibilities. We have existing responsibilities for network security—and have had since 2011, albeit in a more limited way—so we have a network security team in place. We are also very familiar with monitoring clients and enforcement, and with working with precisely the same set of operators that we will hear about on the remit of other responsibilities, so we have a base to start from. That absolutely does not underplay the difficulty, importance and challenge of building up our resources to deal with this. We anticipate that the cost will be around £6 million to £7 million in steady state, and we will build up a team of probably 40 to 50 new people and new resources to cope with those responsibilities.
Simon, do you have anything to add?
Simon Saunders: On our capabilities relevant to the expectations end of things, we are building on our existing capability, working with mobile operators and network providers on the equipment and the software. That is spread across Ofcom, in the leading networks group that Lindsey leads, the spectrum group, and indeed in our technology group, which I look after. In the relevant teams, we have been adding capabilities in with recent experience, with the mobile operators and mobile networks applying the formal diversification.
Lindsey Fussell: We have indeed already started to build up our team, and have had some success in recruiting people with experience of network security—from the operators, for example. We do not underplay the difficulty of doing that; I completely agree that those are sought-after resources. Frankly, it is unlikely that we will be able to compete on salary. The type of people we attract are those who are interested in looking at these questions from that broader perspective—looking across the industry—rather than in their previous roles in companies.
We have found that we can have some success in that, but we will also have to be creative in the way that we approach this. We are thinking about how we can build up a pipeline, for example. The NCSC has accredited a number of university courses, and we are looking at how we, alongside the NCSC, can pick graduates up from those courses, for example, to build up a future pipeline of staff, as well as bringing in people with more direct experience.
Simon, do you have anything to add?
Simon Saunders: No, not in that area. It might be relevant to mention, just to make the point that it can be done, that I actually joined Ofcom from a role at Google.
Lindsey Fussell: Are you referring there to the high-risk vendor powers?
Lindsey Fussell: Yes, I think so. It is important to say that, across the scope of the whole Bill, it is not Ofcom’s role to make national security judgments. That is really important. Clearly, that is the Government’s and the Secretary of State’s role, taking advice from the NCSC and the intelligence agencies. In relation to telecoms security, that has enabled us to take the very detailed work and the threat assessment that the NCSC has done, which have been translated into a set of requirements in the code of practice, and to apply those and work with operators to monitor and enforce that compliance without having to make those national security judgments ourselves. On high-risk vendors, I think it inevitable that there will be more national security judgments to be made, so it is quite proper that that role sits with Government rather than the regulator.
Lindsey Fussell: As I say, we have existing networks security responsibilities, so the issue of security clearance is one that we already need to deal with. I think the point that I have just made is important: we will not be making national security judgments, and that means that we will need access to less national security information than you might imagine. I do not think that we will be routinely handling national security information, but where the NSCS feels that it is required, there are clearly provisions in place for that.
Having said that, as now and in future, there are occasions when we have to handle sensitive information, and we do have the necessary security clearances in place at different levels for our staff to do that. As we recruit, we will obviously ensure that people have those necessary security clearances so that we can handle any sensitive information that we are given.
Lindsey Fussell: We would clearly take guidance from the NSCS and others on whether they think STRAP clearance is required, because of course, it is for the agencies to have STRAP clearance and to classify information. I have had STRAP clearance in the past, in my previous roles in Government, for example, so I am well aware of the different security classifications that are required and the nature of the information that is to be handled. At the moment, the NCSC has not signalled to us that it thinks we require staff with STRAP clearance, but clearly, if it feels that that is needed for the type of information that we may need to handle, we would make sure that happened.
Lindsey Fussell: Our role in relation to the requirements is pretty clear. The Government, through the legislation that is being considered by this Committee, are setting out a series of duties on providers and then giving us a code of practice, which has been developed through the work that the NCSC did. That sets out in some detail what operators, in particular the larger operators, will be required to do to meet those requirements. What we will be doing is monitoring, discussing with and talking to those operators as they go on that journey, and ultimately—of course—enforcing compliance, if we think that is needed. Of course, our trade-off is always to be proportionate in the application of our powers, but it is quite clear that the expectation is that we will enable, encourage and require operators to comply with the requirements.
Stepping back from that, there is clearly a balance of judgment that the Government have taken in bringing forward these measures. We all want, for example, to see people across the UK getting the best connectivity possible as fast as possible. This Bill may well have an implication for some of those plans, albeit that operators are well aware of what is coming. But of course the balance of judgment is the importance that security plays for consumers, in making sure that they have access to secure networks, and bearing in mind the significant costs that can be incurred by companies and ultimately by consumers if there are cyber-attacks.
Can I ask you about an issue regarding oversight? Frankly, I am not a great fan of quangos, because I think their accountability is limited and they allow Ministers to offload difficult responsibilities on to people who have very little parliamentary oversight. Regarding the oversight of your organisation from Parliament’s point of view, some of these decisions will clearly be highly classified. The Digital, Culture, Media and Sport Committee will not be able to look at them, because of the security classification. So how will we ensure that you and Ministers will consider the importance of security around these issues?
Lindsey Fussell: That is a really important question. Clearly, we are accountable to Parliament—
Lindsey Fussell: And we are ready to come and give evidence about our work to any Select Committee that would like to hear that evidence.
As I say, we ourselves will not make national security judgments, but I hear your point that the relationship and the role that we play in monitoring telecoms security, and enforcing those obligations on operators, is a very important one. Under the legislation, we are required to provide an annual report to the Secretary of State about what we find on the state of play regarding how operators are moving towards compliance, and indeed on any security compromises or incidents that we have uncovered and the action that has been taken in relation to those, and on any new threats or other issues that we have identified.
It will then be for the Secretary of State to consider whether they publish that report, and how much of it they publish. We will publish a summary of our work in our annual Connected Nations reports; we do that now. And as I have said, of course we will be ready to talk to any Select Committee that wishes to hear evidence of our role and how it is playing out.
Lindsey Fussell: I think that is really a question for Government rather than the regulator. We will be ready to provide whatever accountability the legislation requires of us, as well as providing direct accountability by talking to Parliament and Select Committees.
Lindsey Fussell: I think the structural framework helps us a great deal here, as I have already indicated. Clearly, the NCSC carried out a really detailed supply chain review, which identified the threats that could occur in different elements of the network, and it has now turned that into telecoms security requirements and, ultimately, into the code of practice. We will be giving—indeed, the legislation requires us to—considerable weight to that code of practice and the judgments that the NCSC has reached on what is required to combat threats. That will then enable us to judge and monitor whether operators are doing what is said in the code of practice.
If, for example, an operator were to say to us that it was not going to meet something set out in the code of practice because it considered that an alternative way would meet that threat, we will have arrangements in place with the NCSC to enable us to seek its advice and guidance at that point on whether that satisfies the requirements of national security.
Lindsey Fussell: Clearly, we would start that conversation within the team and escalate it if necessary, but I do not think that it will actually be an issue in practice. We already have very good working relationships in place with the NCSC, and regular collaboration and discussion. The legislation enables us to share information with the NCSC to enable either it or us to perform its duties. I do not think that there will be any issue in practice, or any surprise in terms of our regular interactions with it.
Lindsey Fussell: Yes, we do. Of course, like any organisation, you would expect that. Ofcom has a range of people with different skills in it, as you would expect. It is actually far broader than, for example, some of the Government Departments that I have worked in before. We have people who are specialist technologists. Simon has talked about his experience. We have economists, lawyers, colleagues who specialise in enforcement, colleagues who specialise in policy, and many other professions. Although people absolutely do move and develop their career, and certainly in relation to these kinds of new responsibilities we will look to upskill existing colleagues where that is possible and where it makes sense to do so, we also employ an awful lot of specialists who will tend to stay more in that specialism and apply that to our work.
Lindsey Fussell: I am certainly not going to deny that there is quite a lot going on, and the organisation is expanding, as you say, albeit with different deadlines and different timescales for the new responsibilities. I have already talked about our recruitment plans to ensure that we have the specialist skills in place to focus particularly on network security, as well as the enforcement and legal support that we will need to deliver this regime, which is a very important part of it.
It is also worth reflecting, though, that there are some really interesting overlaps between different areas of our new responsibilities. If I think of the responsibilities that we have just taken on in relation to video sharing platforms, we are having to understand, as part of those responsibilities, network infrastructure, data analytics and so on. All that actually calls on similar skills and experience that we will need for the regime that we are talking about today, so there is some crossover that we can draw on. Simon, did you want to add anything on that?
Simon Saunders: Absolutely. We have different teams that we are building for the different responsibilities, but there are definitely overlaps between them, and in particular we have built a team of technologists particularly to inform our work on online issues, including, but not limited to, online harm. That comes with a need for us to have technologists who have worked in, and understand, a range of cloud-based computing platforms and the online social media platforms in general. The underlying [Inaudible.] technologies are the ones that increasingly telecoms networks are being built with as well—the so-called cloudification, or virtualisation. So, helpfully, when we recruit specialists in the one area there is the opportunity for them to contribute to the other areas of our responsibilities and to ensure that our approach to these things is [Inaudible.] I think we actually get benefits from having multiple of those duties, rather than separating them.
I want, with permission, to ask a question about three areas: security, assets and costs, and duties. I share some of the scepticism of my right hon. Friend the Member for North Durham about the statement that Ofcom will not be making decisions on national security. You will clearly have duties with regard to national security and one of the key duties is to ensure compliance of our entire network—all our networks—with national security requirements. So how are you going to ensure that compliance without taking decisions on security? You seem to suggest that it is just going to be a set of protocols, if you like, from the National Cyber Security Centre, and you are just going to look at ticking the boxes to see that they are met; but in practice that cannot be the case. It is far more complex than that, particularly with regard to emerging technologies.
Another issue is that the Bill puts all the requirement to ensure compliance on Ofcom, in terms of Ofcom seeking information, Ofcom requiring information, Ofcom setting out notices to inspect, and so on. For example, let us say that one of our network operators—I shall not name one—decides to buy all its cloud or virtualisation equipment from a Chinese manufacturer that is not designated a high-risk manufacturer. Would Ofcom be informed of that change in its network? How would that pass to the National Cyber Security Centre—or would it not? Without that kind of duty in place, is there a risk of what you do becoming a meaningless tick-box exercise and, particularly, of its not addressing future and emerging security threats? That is my first question.
Lindsey Fussell: The point that you raise about this needing not to be a tick-box exercise is absolutely vital. I think actually what we are talking about in this legislation is changing culture—crucially among operators but also in terms of giving the regulator new responsibilities and changing the culture that we have, and the responsibilities and the range of the role we take on in relation to this. So this is absolutely—the legislation in fact specifically says so—about future technology as well as about existing networks. It is critical, I think, that we and the operators go on this journey together in terms of promoting that security by design, in everything that is done.
Picking up your question specifically in relation to assets, I think it is more or less impossible to meet the requirements set out in the covid practice for the operators unless they have a detailed asset register of everything that is in their system. We would expect to see evidence of that, and that it is regularly checked, audited and so on. That would be an expectation for us.
On the relationship with the NCSC, as I say, we have specific provisions in place that enable us to share information with the NCSC. As we collect that information with operators, we will discuss with them in advance what type of information they want to see on a routine basis, sharing that and clearly taking guidance from them as necessary if they think there are national security issues that we need to be aware of.
I mentioned earlier about having security clearance in place. To expand on that answer, we have a small number of STRAP-cleared staff in Ofcom, and we will expand that if need be. Those relationships with the NCSC are already in place and will be productive. I should say also that if the NCSC identifies new threats, or if we identify new threats, I think the legislation is flexible and it is right to be so, in that the code of practice can be updated to reflect that.
Simon Saunders: Could I also add that, in respect of our role in emerging technologies, we are not only awaiting others to tell us which emerging technologies to pay attention to? We have our own independent programme of monitoring and horizon scanning for technologies that could appear and have an impact on the networks and the sectors that we regulate. Clearly, the implications are not only about security. They cover a wider range of issues of performance and costs and flexibility and so on. We actively monitor across these sectors for those technologies.
I mentioned earlier that we recently published something about technologies heading for the future generations of mobile. That also covers fixed networks, the advent of quantum technologies and distributed software technologies in networks, and so on. That programme yields an advance look for colleagues about threats and opportunities that are coming towards us into the markets, so that we can build the skills and consider the implications well in advance of their actually impacting on those networks.
Lindsey Fussell: We would, as I say, expect providers to keep detailed records of the components that they use in their networks. I would expect that that is the type of information that, if a significant new vendor is brought into the market, the NCSC might well be interested in. It is worth saying that, while we do not have any direct regulatory powers over the vendors themselves, under these arrangements operators are required to assess the maturity of the vendors and suppliers they use, and the NCSC has issued guidance to them to enable them to assess that maturity. If the question is: if we see a brand new supplier starting to appear, is that the kind of information that we would expect operators to provide to us and for us then to share it with the NCSC? The answer to that question would be yes.
Can I come on to duties? I have the Communications Act here, which has got a lot thicker since I left Ofcom. The two duties are the “interests of citizens” and the “interests of consumers” with regard to competition, but there is not a duty on security. Does that not suggest that if there is a conflict between competition or communication matters, that will be prioritised over security if there is not an explicit duty to maintain the security of our networks?
Lindsey Fussell: I think this legislation quite clearly does place explicit duties on us to monitor and enforce the compliance of operators on network security requirements. I do not see that there is any risk that we would downplay the importance of that duty in comparison with others. Clearly, it is for the Government to put forward any changes to legislation to change the balance of our duties or to add new ones, but I think the Government—and, indeed, Parliament—are asking us very clearly to take on those responsibilities through this new legislation.
To pick up on a point I made earlier, in terms of the interests of citizens and consumers, it is important to say that of course it is in the interest of citizens and consumers to have excellent networks functioning that provide them with great connectivity. If we have learned anything from this most recent period, it is how important connectivity is to everybody’s daily life. Of course, that comes across in pricing and support for more vulnerable consumers, and all those other things that we have responsibility for in telecoms.
Actually, promoting secure networks is absolutely in the interests of consumers and citizens as well, not just because of the really damaging consequences of cyber-attacks, but because, ultimately, if we are able to have better networks, that should enable greater economic innovation through 5G use cases and things like that, for example. I think in promoting the interests of citizens and consumers, telecoms security is clearly part of that.
Lindsey Fussell: It is probably worth saying that, from an international perspective, although there are some other countries—notably Germany and Australia—that have started to explore strengthening their telecoms security framework, I am not aware of another country that is quite as forward leaning in terms of the framework that is being put forward in this legislation.
In terms of the fines, this is an important point—those fines match the level that we are currently able to levy in relation to our other telecoms requirements, such as breaches of our general conditions. Previously, under our past responsibilities, our fines were limited to £2 million, so really quite a small amount compared with the wealth of the largest operators. I think it is appropriate that the telecoms security fines match what we are able to do elsewhere.
The final point I would make is that fining is an incredibly useful power to have because it acts as a significant deterrent and a strong incentive for companies to comply. It is actually not the first lever that we reach for, certainly not maximum fines; it is there and we are ready to use it if we need to, but our starting point would be to work with operators on this journey as they move towards compliance as they respond to new and emerging threats.
Lindsey Fussell: Yes, of course, I am very happy to do that. As you say, we have responsibility now to monitor and enforce compliance on security. The difference, which is why I think this legislation is so welcome, is that at present we do not have any obligations set out as to how operators need to meet those security requirements. It has been basically up to them to decide what is necessary. While many companies have invested very heavily in their security—I would not want to suggest otherwise—clearly there is a journey to go on and improvements that need to be made. It is very welcome that we now have this much clearer framework, so that operators know what they need to do and we can enforce against it.
The other point that is worth bringing out is that, at present, operators are under a requirement to report incidents to us, but the nature of that reporting tends to be around incidents that cause outages. We do get a lot of those—caused not just by cyber-security but by wind, weather and other issues. Quite a lot of cyber-security incidents are, frankly, precisely designed not to cause outages, because it is in the interests of the malicious actor to allow the network to keep operating while they do whatever they are up to. The new requirements on operators are to tell us not just if there is an outage but if there is an incident where they believe their system may have been compromised. They are wider ranging and welcome powers.
Lindsey Fussell: Yes, so the way the legislation works, as you say, is that there is a primary duty on operators to promote security of their networks, and on us to enforce and monitor compliance against that. My understanding is that the secondary legislation will set out around 40 to 50 sub-duties on operators, which they will all need to meet—that is all operators and providers of electronic communications services.
Underpinning that, each of those sub-duties will be reflected in the code of practice, setting out the details of what the operators need to do to meet each of those sub-duties. As I explained earlier in relation to the questions we discussed on national security, we are entitled, as the regulator, to place quite a lot of weight on the national security judgments that the NCSC and the Government have made in drawing up both those sub-duties in the code of practice, in responding to the threats identified.
Any other questions from Members?
Lindsey Fussell: In relation to Ofcom’s costs first, Ofcom is funded in two ways: first, by a levy on the sectors and companies that it regulates and, secondly, through the collection of fees, primarily from our spectrum duties. Our overall funding is obviously agreed by our board but also subject to a cap agreed with Government each year. We are currently in discussion with the Treasury about the exact technicalities and which of those routes will be used to fund this, but it will be in line with Ofcom’s normal funding arrangements.
In relation to company costs, clearly the Government have looked into that, in discussion with operators in relation to the impact assessment for the legislation. I know that there is a plan to do further work on that in relation to telecom security requirements, once companies have had a chance to see the SI and the code of practice.
The point here, which is built into the legislation, is the concept of proportionality. Although we would expect the largest operators—we would work with them intensively throughout the process—to take part in, for example, penetration testing, it is likely we will be more proportionate with the smaller operators and, for example, respond on an incident-based approach, rather than expect them to carry out the same level of detailed work and interaction with Ofcom. In all of that, we would want to be proportionate in the costs imposed on operators, as we are in all our responsibilities, bearing in mind that these are really important responsibilities, as we have been discussing.
Lindsey Fussell: If I may, I will bring Simon in on the question of diversification. In relation to costs, the bulk of Ofcom’s own costs are paid by larger operators rather than smaller ones, and we have talked about proportionality in the way we operate that. Again, although I understand the tiering of the system will be set out in the code of practice, that will also be based on size and scale. Simon, may I turn to you on diversification?
Simon Saunders: The diversification strategy that the Government have published has set out a desire to attract new suppliers to the UK and further expand suppliers through open solutions, among other means, and to ensure that that is supported by an appropriate regulatory framework. We are ready to do what comes from that, in terms of any objectives the Government set on the level of diversification and to support measures to enable that. There are clearly synergies between the security aspects and the diversification aspects: in determining how diverse the supply base is, having a fully populated and up-to-date asset register from the operators for the security needs will also support the requirement to assess the diversity, if that is what we are required to do.
Simon Saunders: Our existing duties around ensuring the health of the communications market for consumers and citizens point in the same direction in many ways, even if diversity is not spelled out explicitly. We see that a functioning, competitive market for network equipment supports the operators’ ability to provide cost-effective networks that perform well, and that supports the needs of citizens to get great services wherever they are and for those services to be reliable and so on. I do not view this as an entirely separate area from our existing duties; whether specific duties around this are needed is part of the work we are doing to support the taskforce and the plans that come from that.
This will have to be a very quick answer, because we have to stop at 11.25 am.
Lindsey Fussell: I think that the National Cyber Security Centre takes the decision on national security. Of course, the Government ultimately have the power for that but on the advice of the NCSC. Decisions on enforcement and compliance are for Ofcom, following the code of practice that the NCSC has created for the Government.
Lindsey Fussell: I think in that case we would take the guidance of the NCSC. In practice, I really don’t think that is likely to occur. Ultimately, the final decision on whether an operator has complied and whether we enforce is with us. The NCSC would not be able to overrule that decision, but we would be taking that decision in the light of the information we would have been given from NCSC about what is required to meet national security.
Lindsey Fussell: I have read that report, thank you.
Thank you very much indeed to our two witnesses. We are very grateful to both of you for your time this morning and for the expertise you have shared with us.
The Chair adjourned the Committee without Question put (Standing Order No. 88).
Adjourned till this day at Two o’clock.
Telecommunications (Security) Bill (Fourth sitting)
The Committee consisted of the following Members:
Chairs: Mr Philip Hollobone, † Steve McCabe
† Britcliffe, Sara (Hyndburn) (Con)
Cates, Miriam (Penistone and Stocksbridge) (Con)
† Caulfield, Maria (Lewes) (Con)
Clark, Feryal (Enfield North) (Lab)
Crawley, Angela (Lanark and Hamilton East) (SNP)
† Johnston, David (Wantage) (Con)
† Jones, Mr Kevan (North Durham) (Lab)
† Lamont, John (Berwickshire, Roxburgh and Selkirk) (Con)
† Matheson, Christian (City of Chester) (Lab)
† Onwurah, Chi (Newcastle upon Tyne Central) (Lab)
† Richardson, Angela (Guildford) (Con)
† Russell, Dean (Watford) (Con)
† Sunderland, James (Bracknell) (Con)
Thomson, Richard (Gordon) (SNP)
† Warman, Matt (Parliamentary Under-Secretary of State for Digital, Culture, Media and Sport)
† West, Catherine (Hornsey and Wood Green) (Lab)
† Wild, James (North West Norfolk) (Con)
Sarah Thatcher, Huw Yardley, Yohanna Sallberg, Committee Clerks
† attended the Committee
Dr Andy G Sellars, Strategic Development Director, Catapult Compound Semiconductor Applications
Dr Nick Johnson, Independent consultant
Heba Bevan OBE, CEO, Utterberry
Helen Duncan, Managing Director, MWE Media
Mike Fake, Director and Co-founder, Lumenisity
Dr David Cleevely CBE, Independent investor in many telecoms companies
Doug Brake, Director of Broadband and Spectrum Policy, Information Technology and Innovation Foundation
Public Bill Committee
Tuesday 19 January 2021
[Steve McCabe in the Chair]
Telecommunications (Security) Bill
The Committee deliberated in private.
Examination of Witnesses
Heba Bevan OBE, Dr Nick Johnson and Dr Andy G. Sellars gave evidence.
Good afternoon. We come to our fourth panel of witnesses today, consisting of Dr Andy G. Sellars, Dr Nick Johnson and Heba Bevan OBE. We have until 2.45 pm for this session. I will ask the witnesses to introduce themselves for the record, starting with Dr Sellars.
Dr Sellars: Good afternoon, Committee. I am Dr Andy Sellars and I am the strategic development director with the Compound Semiconductor Applications Catapult. We are a non-profit research and technology organisation that helps UK companies to exploit new technologies, predominantly for electric vehicles, quantum technologies and advanced telecom products. I look forward to answering and helping the Committee with their inquiry.
Heba Bevan: Good afternoon, and thank you very much for having me. My name is Heba Bevan, and I am the CEO and founder of Utterberry Ltd. We are a company that deals with artificial intelligence and very heavily with wireless sensor networks or internet of things solutions. We provide our solutions to major infrastructure such as Crossrail, London Underground, Network Rail and Tideway, and we are also involved in healthcare. We design systems that are part of the IoT system, dealing with communications. My background is that I am an electronics and computer engineer and I used to design central processing units for Arm Ltd.
Dr Johnson: Good afternoon. My name is Nick Johnson, and until a month ago I was chief technical officer of ip.access, a UK-based small cell vendor that was bought in September last year by Mavenir—I think you guys interviewed Mavenir on Thursday—but I left at the beginning of this month, so I am now independent. I just want to stress that, on the connection with Mavenir, I am truly independent; I am not speaking for Mavenir in any sense at the moment.
I think ip.access came up a couple of times in the conversations with Mavenir last week, but we are a small cell radio access network vendor, a RAN specialist for cellular technology, global system for mobile communications, 3G and long-term evolution, and to some extent 5G. We are deployed in many networks. Historically, over the 20-year life of the company, we have been deployed in more than 100 networks worldwide, and are probably active in a little more than 50 of them. Those networks include T-Mobile in the US, AT&T in the US, Airtel in India, BT One Phone in the UK and others of that sort. Those are my credentials.
Dr Sellars: You are quite right that 5G opens up a whole load of new benefits, predominantly high-speed access/lower latency. I think some of the security risks are around who is providing the infrastructure to support 5G. The concern that we have at the moment is that we need to have security of supply—both resilience of the supply chain for that infrastructure, and the cyber-security and encryption element of that infrastructure.
I think it is fair to say that 5G is likely to support a much broader selection of services. It is likely to have an impact on commercial, governmental and security transmission, just because of the widespread access and its very high-speed capability. It is also likely to support a very large number of internet of things devices—the sort of devices that UtterBerry develops. Some of those devices are another potential attack vector, if you like; they are another potential vulnerability. It is broadening the access into the network, which is potentially opening up new sorts of vulnerabilities that we need to take into consideration.
Dr Johnson: Let me start by saying that some aspects of security in 5G networks are actually much more secure than in previous generations. Looking over the lifetime of cellular, you will know that you could just listen into first generation analogue networks with a very high frequency radio. GSM—the global system for mobile communications—was secure, partly at least. The network and the phones would authenticate to each other, but only asymmetrically, so the phone could be captured by a surreptitious network. That sort of attack is still used.
3G is much more secure, with symmetric authentication. It is harder for devices to be captured by the wrong network, but it is still possible. It is also possible for the IMSI—that is to say, the international mobile subscriber identity—of an individual or group to be found from that network. The same is true of 4G. In 5G, that is much more difficult. In terms of the security of the user of the network, 5G has tightened up a lot of the loopholes in previous generations in a way that is very hard to unpick. That creates tactical problems for some law enforcement agencies, which rely on some of the insecurities of earlier generations to do their job.
From the network side of things, there are some issues. There is a new network model in terms of the way nodes are connected in the core network. No longer are there physical interfaces as in previous generations of network, where there would be an S1 connection from the base station to the core. There are still connections, but they are much more in a publish-subscribe-type model. I think those, conceivably at least, bring a little more opportunity for attackers to probe nodes within the core network to find weaknesses and vulnerabilities. That is my take on 5G.
Heba Bevan: We have three elements that the telecoms community could work on: the communication aspect, which is provided by companies such as BT; the hardware aspect, which is probably provided by companies such as Utterberry; and the software element within the system. So there are three types of vulnerability that could be introduced in the path of these three elements. The only problem with these paths is this: who is responsible if there is an attack? Usually, the communication aspect is the most important part to get protected.
Currently with 5G, there is a huge opportunity for opening up a huge economic impact from the sector in terms of healthcare, education and tech industries. These industries will need to move on and having 5G is definitely an important element, but how can we make sure it is secure in providing an effective communications network that provides an end-to-end solution and security? That is where I think we need to concentrate on the telecommunications and how can we make sure that what we are getting from that communication is totally secure, and that the encryption within it passes certain thresholds.
We can follow a certain standard within the hardware and software, but if the network is weak and has not provided us with good reliability, that is where things could be broken.
Is there a shelf-life of the older versions? I am surprised that we are still talking about 2G—that it has not been removed. Is there a shelf-life for those elements and will they be removed from what I term “the network”, which is of course the whole global telecommunications infrastructure of the UK? Nick, do you want to start on this question?
Dr Johnson: Yes. Let me start on that shelf-life question. GSM is a little bit like Radio Four longwave, right? I do not think that it is ever really going to die; there are just too many people who depend on it for one reason or another, whether that is for emergency calls, or just for coverage in remote locations or wherever. I think GSM will stay there forever, despite its security issues. They are well known and understood, and managed in due course.
The shelf-life of network components is an interesting aspect. Our experience of deploying into cellular networks is that there is always a security audit involved. When we take a piece of equipment into a new operator, there is always a hurdle to be overcome. They have their own audit procedures and those include a sort of paper audit, where they look at the particular software components that the software is built from, some of which we build ourselves, some of which is open source and some of which is commercial off-the-shelf software libraries and so on. They want to make sure that those are all up to date and properly patched, with all the latest security patches and so on. I think that will just continue on. To some extent, that is just the baseline hurdle.
I am not sure this is exactly what you are asking, but what has changed in my mind as we go forward is this idea that there can be software in the network that is not so much interested in security—as in, somebody hacking into it—but is more of a Trojan horse type of software, completely undetectable until some signal or some date comes by and it springs to life and does bad things. The example I have in mind is the SolarWinds example from December last year, where software had been inserted in the supply chain and had been sitting there quite happily for a while. That, to my mind, is very difficult to detect. Until it goes off, you do not know there is a bomb inside it, and that is an issue.
Coming back to the shelf-life question, keeping the software up to date is a major issue. It sounds easy, but practically speaking, I know it is an operational dialogue all the time within vendor businesses: they are striving for revenue from new customers, for new features to be added, and that is acting against updating the software libraries and so on to bring them up to date. There is a continual dialogue in every vendor company to ask, “Do we need these features to get more revenue, or do we need to update these libraries because we need to maintain secure software?” I guess to some extent, the whole reason for this Bill is to try and force that to the front of the conversation; to say, “Look, you can’t go on. That dialogue has to stop now. The software needs to be secure.” That has to be the baseline; it has to be a basic hygiene factor in selling software that it must be secure to a certain level, and the features need to come as value added. If you have some questions coming up on the code of practice, designated vendors and so on, we might talk about that, but those are my comments on shelf-life.
I think I missed your first question. I apologise.
Dr Sellars: I can add a little bit. Your question about auditing systems is very pertinent to the experience we went through at the end of the 1990s with the Y2K bug. Lots of companies were required to do an audit: financial institutions, companies using software-driven automation, were required to do an audit of their systems in response to that threat. It would probably be a fairly similar exercise for telecoms. I am sure they must have a register of the equipment they use.
Nick has made all the points about software shelf-life, but from a hardware point of view, there is a capacity that the hardware can deliver. My understanding is that as they put in a new service such as 5G, it is quite often built on existing infrastructure such as 4G and 3G. Clearly, each piece of hardware has a bandwidth and can support a certain amount of data throughput, so in terms of shelf-life, I would argue that it is mostly capacity-related. I do not think there are any major concerns about things wearing out as such from a hardware perspective.
Heba Bevan: If we are auditing basically hardware, it becomes very difficult. You can audit maybe 10 main base stations, 20 or even 100, but every single one of them is quite hard and intensive, and it might also be locking to a certain competition in who the supplier is. If you are getting it from one supplier, you are able to audit that supplier, but if you are getting it from multiple suppliers, how would you audit every single supplier? Would you go 10%, or 20%?
The other thing I would like to highlight is that back in early 2018, Intel had a problem with the security of one of its chips. I can provide written evidence later on to give you the full details on that. One of their chips, as well as AMD and Arm, had a problem, and they knew about it, but it has not been fixed. The problem is that if you put it out there into the community, it becomes a major threat, and a bigger threat.
In terms of hardware, as long as it is supported, maintained and updated on a regular basis, its shelf life will be built to a certain recognised standard. However, if it has not been built to a certain recognised standard and it has not been tested and maintained yearly, it will come to an end very quickly and will need to be replaced. We have a huge problem with a lot of networking in smaller areas and bigger areas in the UK. Some of the areas have an amazing network and speed, and some of them are very bad and are actually degrading. We can see that even in education. Schools currently rely on these networks to have Zooms and Teams meetings, as well as normal meetings. Some areas have not been maintained as other areas in the UK have. Maintaining and auditing them is bound up with the maintenance and making sure that, whoever the supplier is, they maintain the system on a regular basis, update the software and keep a track on that.
I am sure Members would appreciate further details on the Intel example, if you can provide that.
Heba Bevan: The problem with Huawei is a bigger problem. The technology was freely created by BT and got sold to Huawei. I think that such an important technology should not have been allowed to be sold in the first place. I am sorry; this is my personal view, not a company view. I think certain technology should be kept within the country because it has a certain importance and all of us use it, so it should be kept in a certain way.
On replacing Huawei with something else, currently we do not have many options, to be honest, in terms of 5G. We have Ericsson, which is a provider of a chip. There are other providers, but they have not come out. Even looking into modules currently, UtterBerry is working on a 5G project with DCMS and the Welsh Government, and we are basically creating the first IoT solution that is completely compatible with 5G.
In terms of supplier for the chip, we have one option, which is Qualcomm. We have Ericsson as well, but they are not at the same speed as Qualcomm, so in terms of options to go with 5G, I do not think there are many suppliers in that market. The capabilities within the—
Heba Bevan: That depends on competition law. The more the merrier probably, at least to give each of us a choice. It would be great to have a choice and to pick the best for the situation. The problem is, given the speed at which we want to roll out 5G, I do not think we will have enough time to create many companies that can provide 5G. We have the capabilities to do it in the country, but we do not have the capability to manufacture that number and roll it out to the entire country. Perhaps Dr Andy Sellars or Nick can comment on that.
Dr Johnson: Let me chip in for a bit. In terms of diversification, there is an issue with scale. Derek McManus made this point—I listened to his contributions from Thursday—about scale. In order to serve the global telecoms operator network, you need scale. You need enough financial and technical muscle to withstand the procurement practices. There is an issue around how much you can afford to deliver, at certain profit margins, in order to make a business. It is very difficult for small companies to achieve that scale.
Speaking for myself, we are a case in point. We achieved a certain degree of scale but did not get to the point where we could compete effectively with Ericsson, Nokia or anybody else in that space. There are quite a few second-tier players around, Mavenir and Airspan, which have 5G technology that could be deployed. Is that scalable to the degree that Vodafone Group would require? Do they have the financial backing to withstand Vodafone procurement organisation? I think that is a major issue.
If you look for the sentiment of the investment community around telecoms, I do not think you will get very positive feedback. Investors are, with one or two exceptions, looking elsewhere to make money. It is a very mature market. Finding new growth in that market is very challenging. I do not have an obvious answer to how, globally, you would achieve diversification. Doing from the UK is a big challenge.
The only crumb of comfort I can offer is that we should, I think, focus on core intellectual property, as a country, strategically. If you just focus on the software, and the implementation of the technology, we will get outrun by people with much bigger and much cheaper workforces, which are as highly skilled. The only way to cement the position in the global economy is by intellectual property and ensuring that you own it, it is well protected, and you can leverage it and exploit it appropriately in that space. Some of the work that Andy is doing at the Catapult is looking at not necessarily software, but technology that could be used in 5G to improve the efficiency of radios and so on. Paradoxically, hardware-centric IP may well be very important to the effective operation of a network.
I am not giving you a very good answer here. It is a very challenging political goal, to say that we want to diversify. What is in it for us as an investment community and a technology community? I think everyone is looking elsewhere at the moment.
I am conscious of the time. Dr Sellars, do you have anything to add to that?
Dr Sellars: Absolutely. We are in a situation where we have three monolithic suppliers—we are actually down to two monolithic suppliers. With telecom diversification, we have an opportunity to look at disaggregating parts of the network, especially for newer 5G and other services.
My background is similar to Heba’s. I am an electronic engineer by trade. I have designed electronic systems that have been manufactured in the UK and I have written software to drive those systems. In the UK we have something like 5,000 companies that design and manufacture electronic systems. Something like 600 of them are involved in telecoms. I am not suggesting that all of those 600 become equal players. That would be a crazy scenario. But there are certainly some parts of the telecom network where the UK is pre-eminent. There are some backhaul and fibre technologies that we are very good at. As we deploy 5G into rural communities, that is likely to require low Earth orbit satellites; we are very good at satellite communications.
We have clusters of activity with these things around the UK. There is a cluster of radio frequency, backhaul and satellite communications in the north-east, and of satellite manufacturing in the central belt of Scotland. We have clusters of activity in the Western Gateway and around small-cell base stations. In south Wales, we have clusters of activity in compound semiconductors, which are the next generation of chips required for 5G and other high-data rates communications. So, I think the diversification strategy goals of opening up and disaggregating the markets are certainly going in the right direction.
Ultimately, it comes to the telecom operators and how many suppliers they would like in their vendor supply chain. If we can disaggregate the network and come up with open standards for various parts of the network, such as open RAN and backhaul network gateways, that opens the playing fields and enables companies to compete equally. As I say, there are a number of UK companies that could compete. They are globally competitive and could compete on equal grounds with other companies to get access to those markets.
In terms of the timescale to do this, at the moment we have three monolithic suppliers and we are going down to two. Patching that scenario feels like a very short-term timescale, but I would indicate that a broader diversification would probably be in the order of three to five years.
Thank you. I want to try to squeeze in both Sara Britcliffe and Chris Matheson before we go the Minister and the shadow Minister, so we need short questions and succinct answers.
Dr Johnson: I think broadly the Bill is okay. I have a couple of questions about the wording. The definition of a security compromise is too narrow. At the same time, the first clause would cover every single bug in every single system, regardless of whether they were to do with security or not. Does it affect availability, performance or functionality? Every bug on the planet would qualify for that. The Bill does not cover the issue of prepositioned viruses that are implanted in software, which are crucial to the next phase of network security, but it broadly makes sense.
I have one other comment around the designated vendors. What do the friends of the Bill think about a designated technology register? Designated vendors are all very well, but the technology that is being incorporated into telecoms networks is itself subject to security concerns. Should such a register of the specific technology generations or of particular operating systems and libraries, which are known to be buggy or compromised from a security point of view, be included in the Bill? It might be too late in the day for that, but I guess some of this will be picked up by the NCSC.
I am sorry to interrupt, but I want to move on to Heba Bevan. The question was, what is there in the Bill that you really approve of?
Heba Bevan: One of the things in the Bill that, to me, is essential is that whoever is providing the telecommunications system has to be liable for providing the security on it. I totally agree on that. They have to make sure it is secure. There are a few bits and pieces on how that is being achieved but, because of time, I can send you a few points around that.
That would be helpful, thank you.
Dr Sellars: I agree with the points made by the other two witnesses.
“I am delighted UtterBerry has been selected as a champion of British technology excellence through the TechHub programme—just one of the new initiatives we have launched in partnership with industry and the Chinese government.”
That is from Sherry Madera, the deputy director general of the Department of International Trade at the British Embassy in China. Are our firms still being pushed to share communications technology with China as this Bill is going through?
Heba Bevan: No, we worked with the Department of International Trade in 2016. The Chongqing Government were interested in having UtterBerry there. We spoke with our lawyers about the amount of IP we have and decided that we would not pursue this. We do not manufacture anything in China. Everything in UtterBerry is manufactured in the UK—software, hardware and everything we do. We mainly have graduates from the UK. We have European engineers, but recruitment is mainly kept closer, because of the IP sensitivity.
Thank you for clearing that up. Chi Onwurah.
I will be brief, as we are running out of time, but thank you for your expertise. My question to Andy Sellars and Heba Bevan is about the diversification strategy. In what areas do you think the UK has the capability to exploit the opportunities of this diversification strategy, particularly in hardware versus software? We have been told that hardware is beyond our manufacturing capabilities, yet you seem to be making a success out of it, Heba. What barriers are new entrants and smaller companies likely to experience and what kind of interventions should the Government make that are not fully addressed by the diversification strategy in order to ensure a UK capability in this area?
My question to Dr Johnson: we heard from Mavenir earlier, which said that open RAN could provide 2G, 3G, 4G and 5G networks now. We have also heard of the operational challenges associated with that. What is your view on the maturity of open RAN technology? We will start with Andy.
Dr Sellars: The first question was about UK capabilities to exploit the opportunity. Specifically, the UK has a cluster of small-cell base station manufacturers around the Bath and Bristol area. We have satellite communications clusters around the north-east, central Scotland and Surrey. We have a compound semiconductor cluster around south Wales, employing 1,600 highly skilled engineers generating something like £180 million per annum to the Welsh and UK economy. We have quantum encryption expertise funded through Innovate UK’s programmes, we have world-leading providers of optical transceivers for fibre communications, and we have backhaul capability.
Dr Sellars: For interventions, I would suggest that the Advanced Propulsion Centre is a really good model to look at. It is in a different sector. It is funded through the Department for Business, Energy and Industrial Strategy, and its remit is to help to transition the automotive industry from petrol and diesel engines to electric drivetrains using batteries. Have a look at that as a model. It is an incredibly good model for transitioning an entire industry from one technology to another. It brings together supply chains and is very effective. That is one of the interventions I would suggest. Other interventions could be cyber-certification and just helping UK companies to access some of the standards bodies. That would be very effective. We have a lot of SMEs.
Heba Bevan: Thank you for your question. On hardware, as a company—and to be honest in the UK as a nation —we do not have the essential foundries. We can design and prototype the silicon, and we can work on, from the beginning, how actually it would work, but the actual manufacturing of the chip—not the hardware: that one chip which is like the CPU or a piece of DSP—those actually require very high-intensity foundries. If we want to build them in the UK it will cost around £10 billion today—probably over that number. Andy can correct me on that.
In the far east, they have unlimited resources with the state aid rule; and Europe, in the last few years, passed something, for the state aid rule, called IPCEI, which is important projects of common European interest. Germany was able to fund €1.2 billion from its money to support these foundries. France put in €0.8 billion, and Holland put in €0.4 billion. In the UK in the last few years, in terms of building these foundries, the UK has not supported that type of manufacturing. In chip manufacturing, we do not. However, on the hardware scale we are able. The way we see it, we build the hardware; we build the software—but the actual components and the chips, today we do not have the capabilities in the UK to manufacture that.
I am really sorry to do this to you, but I think I had better interrupt and go to the Minister or we will run out of time completely.
Dr Sellars: I would prioritise the funding in terms of where the vulnerabilities are in the network, in terms of the ability of the UK to fulfil those vulnerabilities and in terms of what markets it would open up. There are specific parts in the telecoms stack that are likely to be more vulnerable than others, where the UK has prime capability and where we could then develop an export opportunity. I can provide some more detailed answers in writing if that is helpful.
Dr Johnson: For my 30 seconds I would spend it on basic research, cementing the intellectual property position of the UK.
Heba Bevan: I would agree with Dr Sellars—Andy: we need to increase the amount of spending around vulnerability and strengthening the network. One other point is about spending it on areas outside the UK so it would generate more jobs around the north.
Chi, I think you had something outstanding, and you have got just about a minute and a bit to do it.
Dr Johnson: So, the 45-second answer: Mavenir is using IP access GSM 3G technology in its open RAN development. Pardeep, I think, said that it would be ready within 12 months, and I agree that that is a true statement.
Did you have anything else, Minister?
I am sorry we had to hurry you a bit, there, but we are trying to get through quite a lot this afternoon. Can I just thank all our witnesses for your evidence and the extra bits that you said you would possibly forward to us. That would be much appreciated. Thank you, on behalf of the Committee. That brings this session to a close.
Examination of Witnesses
Dr David Cleevely, Helen Duncan and Mike Fake gave evidence.
Mike Fake: It is Mike Fake, as in genuine.
Helen Duncan: I am a consultant and freelance journalist, specialising in RF technology and the wireless sector. I have been writing about this industry for the past 30 years. Prior to that, I was a practising engineer in the high-frequency electronics industry.
Thank you. Mr Fake.
Mike Fake: Thank you, Mr Chairman. Hello, everybody, and thank you for giving me the opportunity to give evidence at the Committee today. I am director and co-founder of Lumenisity, and I have spent the past 30 years in telecoms fibre optic components.
Lumenisity is a spin-out from the University of Southampton, and we have developed a new fibre optic cable technology, in which data travels 50% faster than in a conventional cable, which would digitally shrink the UK; provide a more responsive internet; increase the physical separation of data centres, moving them out of big conurbations; and potentially reduce the cost of deploying 5G. We are building a company to engineer telecoms solutions and innovatively scale up the manufacturing base in the UK.
Our opening statement is that we support the principles of the telecoms security Bill. We see the diversification strategy as critical for successful execution. It is a real opportunity to build a secure, UK-leading network, fostering new entrants and technologies in the UK telecoms supply chain, and to leverage innovative solutions in manufacturing scale in the UK.
A challenge for SMEs, which I would like to highlight, is ensuring sufficient scale-up investment. This is an expensive step and it is difficult to raise this level of capital independently, so we need a combination of public and private funding. Lumenisity is part of an overall eco-system to improve the UK competitive position in a growing next-generation economy. In summary, we would like to see this as an opportunity for a positive change, rather than a retrospective solution to a singular problem.
Dr Cleevely: My name is David Cleevely. As you have pointed out, I have invested in a number of telecoms companies and sold a few of them successfully. I have been an adviser to the Government and Ofcom. I was one of the experts who helped with the Communications Act 2003. To ensure I have full disclosure, I was on one of the boards of the MOD for eight years, looking after our ICT for all of defence, in theatre and the back office.
If I may, I would like to make three points very briefly. First, I would like to explore perhaps outside of this Committee a little bit more the edge cases for what constitutes a telecommunications network. Although provisions in the 2003 Act, sections 125 to 128 or so, cover quite a lot of things that are extended in this Bill, I think we need to think rather more carefully about what a telecommunications network actually is, in a world where many of these things are distributed, both in hardware and software.
The second point I would like to make is about the spending on R&D and procurement. I am sure we will get on to that. We need to solve a problem that is deep-seated in the UK economy about the difficulty of translating R&D and deployment into real practice. I have some further comments I could make on that.
Finally, I note that in the previous session last week, Miriam Cates picked up on one of the contributors, saying we could not forecast 20 years into the future, and Alex Towers asked about a contested story to do with Huawei back in 2005. I would like to point out that I had a small part in all of that and can verify that that was discussed. I will not go into details, as you would probably imagine I would not.
One of the things I participated in then was the Foresight cyber trust and crime prevention project. A lot of the things that we are talking about today were indeed forecast 20 years ago. There are some lessons that we can explore later in the Committee from that experience, if you wish to do so.
Thank you. The first question is from James Sunderland.
Mike Fake: I think the diversification strategy is important. It is great to see the national telecoms centre proposal and the £250 million for research and development. One concern is whether that will be enough. Listening to earlier parts of the hearing last week, BT said that they it invests £500 million per annum and Huawei has a revenue of probably $120 billion per year. Sorry, did I say, “million”? I meant billion. What do they invest in research and development? Probably $2 billion a year. The opportunity I see is that we have a short-term focus for network equipment manufacturers to replace high-risk vendor equipment, but it will be difficult in that period for other new entrants to get their share.
The opportunity is to foster new entrants in technologies in the UK telecoms supply chain, and to leverage innovative solutions for manufacturing scale in the UK. Another issue is that there is a lot of focus on the radio access part of 5G, but that is only one small part of the network. There is optical fibre connectivity from the masts, and transport to the network’s core: that is critical to the network’s security and performance.
Helen Duncan: When I started my career, the industry was dominated by big names such as STC, Plessey, GEC and Racal. They all received funding from defence organisations such as the Royal Signals and Radar Establishment at Malvern. They used a lot of the spin-offs from that technology to develop their telecoms capability. That all ceased in the 1990s after the Berlin wall came down and cost-plus was abolished and so on. It is significant that independent industry research shrank in those times. We are now, at last, seeing a bit of stimulation going back into British industry thanks to the catapults, like Andy Sellars’, and this could be an opportunity, if not to return to those days, to put some investment in and to develop the talents we have in this country.
Dr Cleevely: The Bill is a great opportunity, as the other speakers have said. In technical jargon, it is a necessary but not sufficient condition. It does provide some great opportunities. I am an investor and have created a number of British companies of which, like you, I am very proud. We do, however, need to think carefully about how the market actually works. A number of speakers before us talked about the way in which the number of suppliers has come down in this business. We need to be careful in thinking about how we intervene to set the rules of the game and to encourage certain kinds of behaviour. I am very familiar with one example that relates not only to Government but also to large corporates: the notion that you go through a procurement department that is forcing you down on price, and it does not have the notion of innovation as one of its key performance indicators. The notion of innovation, on the other hand, is built into a lot of the systems that are employed in other countries, primarily the United States, as a way of evaluating whether a technology should be procured or not. We need to think rather more carefully about how we foster that development and growth of smaller companies into larger companies, particularly with this view about innovation.
For example, Ofcom is an economic regulator—one of 11 or so economic regulators in the UK. It has always, below the radar, treated innovation as one of the things it ought to be fostering. I would suggest, for example, that alongside the consideration of this Bill, we think about how we push innovation rather more firmly and put some money behind it in terms of procurement.
Mike Fake: Obviously, we have got two things to do here. We need to replace the existing vendors’ equipment, but in parallel, if we can invest in the UK supply chain—we have a very healthy supply chain in the sense that there are a lot of companies which provide optical components and subsystems into the equipment manufacturers. We need to do both things at once. We need to swap out the equipment, and also invest in the new companies coming up, so that in the future we can have a much more future-proof, innovative, secure and leading network.
Pushing the timescales forward, we have to recognise that in the short term we are going to be stuck with two alternative vendors that we need to swap out, but if we can invest in the up-and-coming, innovative, small SMEs and really foster those, as the previous speakers have said, I think we have got a real opportunity to change things and to have a world-leading, British, high-UK content network moving forward.
Thank you. Could I ask Helen the same question?
Helen Duncan: I think there are some real practical difficulties in swapping out the equipment. It sounds simple; you just take one radio out and put another one in, but I think you would find that cell sites would be down and consumers would be complaining.
There has been some research recently by a company—albeit funded by Huawei—called Assembly Research, which estimates that it would put the UK three years behind in its programme of 5G deployment. At a time when communications are key to our surviving the unusual circumstances of the pandemic, it seems counter-intuitive to think about putting even more strain on that by moving the deadline closer. I think perhaps it should be the installation engineers who work for the networks we should be putting this question to: how much disruption is it going to cause?
Thank you. David too?
Dr Cleevely: I would like to echo what Helen said, but in a rather different way. There is an engineering problem, which is what we have been dealing with, but there is also a human behavioural problem. Anybody who has worked in a large corporation or worked on these large projects will know that the way in which people approach the problem, and the way they think about it, the way they want to programme it and the urgency they feel, is driven as much by the psychological issues as it is by the technical. I would urge you to think through how you would encourage the behaviour that you want to see. Now, obviously Government can do that by simply issuing an edict and forcing a deadline, but there may be other ways that you can get more innovation and a more rapid shift than the 2027 deadline, simply by thinking through with the industry—going back to Helen’s point about the engineers on the ground—about what is required. A little bit more detailed thinking on that could yield some very positive result.
Mike Fake: That is a difficult problem to solve, but I think it is important that innovation is a powerful force, and you can turn around things in this new world very quickly. Although you have old legacy systems, and you replace everything from overseas vendors with old legacy systems, you need to keep moving forward. In terms of optics, we probably have one of the world’s leading telecom fibre optics innovation capabilities in the world, through the universities. We have a whole bunch of small and medium-sized enterprises out there, and they are struggling to make that step to some scale and to get that innovation deployed in the network. But I think innovation—
Helen Duncan: I do not think it is necessarily the case that they will just use Ericsson and Nokia equipment. Vodafone, for instance, has committed to equipping something like 2,500 cell sites with open RAN equipment, so they are taking a forward-looking view and trying to stimulate that themselves.
Dr Cleevely: If I may intervene here as well, it is curious, is it not? The economists will tell you that sunk costs are sunk costs and you should always move forward, and that is something to hold on to. Human nature says, “Well, we’ve invested in this—let’s see if we can sweat that asset to make the most of it.” A constructive dialogue with your finance director or chief financial officer is always an essential part of all this, and, for example, it is important to understand what is driving the risk that a company is running, its weighted average cost of capital and its cost of borrowing on the market.
Essentially the point is this: if you can get more business and improve your service, and get more customers and make more money, as a result of doing investment, then that is what you will do. The key point here is whether we can find a way of making it clear and straightforward to the most truculent of finance directors or chief financial officers that this is a good investment for the future. In there lies the key, because you need to get the incentives right.
We have talked a little about how we got here; Helen, you worked for Marconi, and I worked for Northern Telecom, which bought STC, one of our last UK companies providing telecoms equipment. Without putting words into your mouth, I think the situation could be characterised by a lack of investment in innovation and in British sovereign capability. Now that we are seeking to reverse that, or to jump ahead of that, what interventions could best guarantee the long-term security and resilience of the UK telecoms network, with UK sovereign capability supporting it? Is the £250 million diversification strategy set to achieve that? Can you give examples—I am looking for quite concrete examples—of what you might add or change? David, you talked about needing to give the right incentives to the mobile operators. The telecoms supply chain review was quite clear that there is not an incentive right now in the supply chain to deliver security in mobile networks. What interventions and what incentives should there be?
Helen Duncan: Starting from how we got into this situation, in the 1990s we had three incumbent base station manufacturing companies in the UK, which were Orbitel in Nottinghamshire, and Motorola and Lucent Technologies, both in Swindon. They survived for different lengths of time: Orbitel closed down in 1996 when Ericsson took over, Motorola ceased base station manufacturing in 2002, but stayed open and was then sold to Nokia, and Lucent became Alcatel-Lucent and was closed down. Mergers and acquisitions have clearly played a huge part, as did the dotcom bubble and, as I mentioned, the removal of funding from the defence sector.
Heba made the point that to support semiconductor manufacture in the UK, the £250 million would not even start to scratch the surface. We need to concentrate a little bit further up the food chain. We have some very good capability in this country in component and subsystem manufacture based around the chips. We have some good design capability for chips that are then manufactured in the larger foundries elsewhere in the world. Supporting those activities, the design and the manufacture of components and subsystems, would give us a good basis and improve resilience.
I also want to mention that we have some capability in this country in the test and measurement sector with Spirent and VIAVI Solutions—although VIAVI is an American-owned company, it manufactures RF and wireless test equipment in the UK. By definition, test is ahead of the curve on development. If you can make equipment to test something, you can actually make that equipment, because it is much more complicated to make the test equipment than it is to make the base station or the handset itself. Those companies deserve our support as well. That was a very long question, Chi; I am not sure I covered every aspect you were asking about.
Dr Cleevely: Thanks, Chi—nice to see you. One of the things that was mentioned in the session a little bit earlier was standards, and I think one of the things that changed telecommunications between the 1970s and the dotcom revolution was the emergence of some of these more open standards, such as TCP/IP for running the internet and so on, and HTML for doing the web browsers. I think we could be putting a lot more money and effort into defining some of those standards, because if you define the interfaces for pieces of equipment correctly, you can allow people to come in and provide bits of equipment that can conform to those interfaces. That is one very concrete thing.
You are right to say that, until relatively recently, the penalties on security and so on—the consequences—have been very small, but in terms of behaviour, you need both carrot and stick on things like this. You need to have something that will give the telecom operators a real reason to do something, which might be as simple as a kitemark that says, “The telecoms network you are using has been certified as secure.” That may or may not be the kind of thing that would engender the behaviour change, but it is noticeable that with a number of things like Telegram and WhatsApp, that is seen to be quite an important thing.
Finally, the networks of people are important in all of this. I noticed that the Government have spent some money on the 5G networking across the UK, which is being run by Cambridge Wireless, which I am very proud to have helped set up. We talked in the previous session about the cluster of people down in Bristol working on semiconductors and so on, and I think the Government should be putting some money into networking people together across the UK, and between regions in particular, to have ways in which we can be exchanging ideas and getting to understand what each other is doing. We complain about silos in Government and siloes in corporate, but we have siloes across every single component of this industry, and it is no good to sit in a part of the west midlands, Cambridge or Belfast and not talk to other people about the issues, the standards and the technology. While we seem to think that that gets delivered by the free market, in reality that is not happening, and I think the Government in particular need to intervene to connect up all these people.
Today, I launched the Northern Ireland Engineering Hub for the Royal Academy of Engineering—I am chair of the enterprise committee—and that was specifically picking Northern Ireland because of its deep engineering history in order to start to connect it with a lot of the other things that are happening in the rest of the United Kingdom. I think we need more of that, and I think that out of it will come the same blossoming of innovation and engineering that we have seen previously when people have been connected up together. I am a great optimist on that.
Mike, did you want to say anything else?
Mike Fake: I would just add that the radio part of this network is very important, but there is also a fibre optic network that connects it back to the core, and if we can invest in innovation—which means investing in the people who are coming up with the ideas, at the universities and so on—and in the SMEs, there may be clever ways in which we can get to scale manufacturing. That is not just for radios, but potentially hardware boxes, looking at gateways and so on, and also optical fibre, for instance. I support wholeheartedly what the other two witnesses have said, especially the point on open standards that David made.
I am just going to go to the Minister, and then I will come back.
Dr Cleevely: Thank you, Minister. On the short-term stuff, I am very reluctant to dash in on some of these things. I have started a few businesses. It is always a mistake to try to spend money too quickly, because you do not quite know how it is working, but if you are asking me where I would specifically spend some money, I would start to spend it on groups of people and existing researchers, connecting them up, having seminars and workshops, starting to fund little bits of research, opening up some competitions, and getting some ideas for where the standards might be—putting oil in a mechanism that has seized up and become somewhat rusty.
With relatively little money—we are talking about nothing like Heba’s amounts that you need to spend on a fab plant—I think you could free up a lot of stuff, but you need to put in, at the same time, quite a lot of investment in monitoring all of that, so that you are learning from the process. There are a lot of brilliant engineers and brilliant people in the United Kingdom. My impression is that we do not do enough to connect them up, so my first action would be to use the catapults, the academies, our brilliant universities and fabulous corporations.
Honestly, as we have already heard, we have some marvellous stuff going on in telecoms manufacture. Start to bring those people together. That costs money to service and to actually make it work. That is where I would start, and I would have a framework for what kind of information we were going to get out of that, so that it was not just a nice party, as good as that is, or a talking shop. A distributed catapult would be one way of thinking about it.
Helen Duncan: I absolutely agree with what David has just said. I would also suggest one specific area where some intervention could be very timely, given that a lot of antenna engineers were made redundant just before Christmas when a company called Axell Wireless went into administration. Antennas have not been mentioned, but Huawei holds an awful lot of intellectual property in antennas. That will be a weakness going forward. In the past, we had some significant antenna capability in this country, most of which was bought up by Cobham, which has now said it has no interest in telecoms at all. It was because they sold Axell Wireless that it has now gone into administration. That is a specific case, but it is just one example of an area where it is not too late to reverse a particular trend.
Mike Fake: I completely support David and Helen’s comments.
We have about 11 minutes left. I will go to Kevan Jones, who I think had a question that was prompted by a reply to the Minister. Then I will try to go back to Chi and to the Minister before we finish.
Helen Duncan: I think hardware technology has a very poor image with investors and we could probably take an initiative to try to improve that, including trying to attract the right people to take up careers in hardware rather than software, as it is seemingly becoming not so glamorous but it underpins the whole thing.
Dr Cleevely: Helen, I think you are right. It is very interesting that these days, if you want to get investment in a company—I have personal experience of this—you present it as a software company that needs a little bit of hardware to make the software work; you do not say at all that it is a hardware company. That is one thing to note.
More seriously, on the general point about private investment and interest in these things, this is a matter of setting up the rules of the game so that it makes sense for the private investors and the private people to get involved. None of this is achieved by Government; none of it is entirely achieved, indeed, by the private sector. This is one of these areas, these issues, where you need to think about how Government set the rules up and set the incentive structure so that the private sector explores the environment—because Government cannot work out exactly how this is going to turn out. The private sector can then explore it. That is why, for example, procurement is so important. If you can procure from a number of different sources and encourage people to move forward, you will explore the possibilities of innovation much more rapidly than any single company or any single Government can. We need to construct the rules of the game so that the private sector can start to deliver what the private sector is really good at. I talked about oiling the wheels; I am talking about unblocking drains at this point. We really need to make sure that the mechanism is working properly.
Mike Fake: I would support that. I will just add that some of the mechanisms that we could explore are things like the competitions where Government put in a certain amount and private industry puts in a matching amount, but it has to be significant; it has to be a large investment—something that will make a difference, something that will take the thing from the early innovation stage through to full-scale manufacture, in the UK.
Mike Fake: I walked into that one, didn’t I? I just come back to my earlier point, which was that it is really great that the Bill is proposing £250 million of money for research and development over five years, but if that turns out to be £50 million a year and then you think just about BT, which is spending £500 million a year just on its network, the £50 million really is not very much, is it? It is appreciated—it is really appreciated—but it is not a significant amount in the context of that.
Thank you for that. Chi Onwurah.
Helen Duncan: That is an interesting question.
We could perhaps have a telecoms business bank?
Helen Duncan: You cannot stop mergers and acquisitions happening, but if you can put in some sort of criteria that companies that buy British companies need to give a commitment to continue to invest in this country for a set period of time—whether or not that is practicable—that would help.
The most important thing is to make the companies themselves strong enough so they are not targets for asset stripping, as has happened in the past. All the measures that we are talking about to oil the wheels, as David says, will make our companies stronger and able to compete in what is still a global market. I think making our companies competitive is the key to this.
Dr Cleevely: There was a thing called the Macmillan gap, which led to the emergence of the Industrial and Commercial Finance Corporation in the late 1940s. Translated into modern terms, that gap is investments required of around about half a million to £5 million or £10 million. We are still living with that, and that gap was identified in the 1920s. We have a structural problem in the United Kingdom about the way in which we invest in some of what would in Germany be called Mittelstand—those smaller companies. I think you are quite right, Chi, to draw attention to that as a particular risk profile. People do not want to put money necessarily past the seed stage into what I would call late series A and into series B.
The other point is procurement. As I have mentioned before, if you have a client or two who is prepared to buy kit from you, you not only get money but you get experience and expertise and you develop your company. We need more incentives for procuring from those kind of middle-sized companies, because out of those will come the giants of tomorrow.
My experience in Cambridge and elsewhere is that quite often, many of those companies say they are entirely private sector driven, but actually they have been the subject of lots of Government procurement and interventions along the way. That is particularly true in the United States where the SBIR scheme is very important.
Do you have anything you want to add to that?
Mike Fake: I do not have anything to add to that. I support what has been said.
I am going back to the Minister, Chi, because I am conscious of time.
Dr Cleevely: Well, Minister, my instinct is not for the Government to not take stakes in companies, so I think that that is beginning a distortion of—
That is perhaps not the phrase, but you get the gist.
Dr Cleevely: The primary way to do it is: first, let’s set the rules and regulations. Secondly, let’s put some pump priming into the networks to allow people to talk. Thirdly, let’s see if we can get the procurement sorted out so that these companies can actually get the lifeblood pumping through them. Fourthly, if you really need to, because of security or other strategic interests, are there things such as the British Business Bank or other mechanisms that can act as intermediaries? You do not want the Government directly intervening in this stuff. That is the hierarchy in which you deal with this. On exactly how that works in a particular case, I have not spent enough time thinking of a detailed response.
I am afraid we have run out of time. I know we could have gone on a bit longer, but thanks very much to our witnesses. That concludes this session.
Examination of Witness
Doug Brake gave evidence.
We will now hear from Doug Brake, director of broadband and spectrum policy at the Information Technology and Innovation Foundation. We have until 4 o’clock for this session.
Good afternoon, Mr Brake. Will you introduce yourself for the record, please?
Doug Brake: As you mentioned, my name is Doug Brake. I am the director of broadband and spectrum policy for the Information Technology and Innovation Foundation. We are a think-tank based in Washington DC, focused on policies that we believe advance innovation, with the basic belief that innovation is the key to economic growth and human flourishing over the long term.
Thank you. I call Sara Britcliffe.
Doug Brake: At a very high level, I would say cyber-security generally. The goal of Government intervention should be to make it easy, cheap and desirable for the private sector to do cyber-security well. I have some vague concerns that some increased costs might come from the Bill—the compliance costs—but identifying this as a serious issue that needs to be looked at and giving Ofcom the tools that it needs to investigate security challenges, especially with regard to the equipment and working with the private sector to mitigate those risks, is a big step forward.
On the diversification strategy, I think it is a very wise document. That to my mind is one of the best opportunities that we have to mitigate long-term risks, particularly where there are high-risk vendors in the area. So I think the diversification strategy is quite wise and would make the UK a real leader in this space in terms of policy.
Doug Brake: That is a good question. A lot of people are asking that question and trying to figure out exactly where this will go. I think that at a high level we have passed through the confrontation with Huawei and China over some of these innovational mercantilist policies that we have seen, which have undermined the global innovation of wireless equipment. I don’t think that will change at a high level. No politician in Washington in the US wants to be seen as soft on China. I think there will continue to be policies that attempt to roll back some of the innovation mercantilism that we have seen in the wireless equipment space. I expect and hope that it will be done with a more measured and co-ordinated effort with like-minded allies such as the UK and with less scattershot policies across the US Government.
What we have seen over the last several years in the United States is a variety of different agencies doing what they can to mitigate the risks. It is less a co-ordinated whole of Government approach in the US and more a disjointed and fragmented policy response across different agencies, so I am hopeful that under a Biden Administration we will see a much more co-ordinated effort and one that is more co-operative with allies.
Doug Brake: It is a good question. To start with, I will take the first part of your question, with regard to the export controls that the Administration put in place with the aim of trying to kneecap Huawei; I think it is fair to say that.
First, from our perspective, ours was not a very well-thought-through strategy—right? Without co-ordination and without a broad coalition to address those sorts of trade practices, in effect in the US we really only shot ourselves in the foot. It undermined any of the technology companies or equipment providers that were attempting to sell components and chips to Huawei. So to my mind, if you are not going to succeed in killing Huawei, or if there are ineffective strategies that undermine your own industry, I am hopeful and expectant that we will see a change in the policy going forward.
That said, if there was a desire from a broader coalition internationally to make some more extensive efforts—something like a NATO for trade, to address these unfair practices—that could be a very effective strategy, if it was done with a broader coalition.
In answer to your second question, the long-term goal of diversification of the radio access network supply chain is to allow for a much more diverse and modular system, in which any number of companies can compete within different niche areas of the market. Admittedly, there are some areas of that—high-performance, generic server infrastructure, as well as software—that the US does quite well. However, I think that opening up the supply chain would allow for a number of companies internationally to compete quite strongly.
Also I think there is a question about the extent to which different countries are willing to aggressively pursue an industrial strategy to support the sort of change that could give them a potential comparative advantage in pursuing this sort of transformational change to the telecommunications supply chain.
Doug Brake: I think it is absolutely right that there is a real risk if we cut off supply to China, particularly in semiconductors. We have already seen an aggressive action on their part to stand up an indigenous semiconductor industry. This is getting a little outside of my area of expertise; semiconductors is not some place that I know super well. However, I think that it is absolutely correct that there is a real risk that the extent to which we try to cut off Chinese companies will see them double down efforts to create their own indigenous supply chain. So—absolutely.
I am hopeful that we see either a change to that or a much broader international coalition to double down on those efforts. I think that it is more likely that we will see a Biden Administration ease some of those restrictions, or work through the current legal means to allow for licences for companies to sell semiconductors to Huawei and others.
Doug Brake: That is absolutely right. This is a long-term effort. I worry about some who tout ORAN as something of a silver bullet that we can make a quick transition to, that it is a flash cut for existing equipment providers to an open RAN sort of system—a more modular and diverse ecosystem. It is something that is going to take a number of years. I honestly worry that it is late for ORAN to be incorporated into 5G, at least on a broad scale. For greenfield networks, it is a different story and it might make sense to go with these open and modular systems from the get-go.
I worry that this is much more a conversation about putting in the tools, resources, testing facilities, the labs, R&D, et cetera, to put us on a path for years down the road so that this becomes the industry standard. I do think, absolutely, that this is the time to be looking at those early stage investments to be driving further and, frankly, looking down the road to 6G, to be able to put in place the policies and efforts to transition the industry to this more diverse future, and put those in place now for years to come.
Doug Brake: I worry that sometimes 5G is conceptualised as a singular technology or a singular thing. It is not a monolith; there are a number of different component technologies and a number of different flavours. Depending on whether you are doing a fully 5G network, a stand-alone network or a non-stand-alone network, it is a very different sort of system. There are also a lot of differences between what spectrum is used to deploy the network—if you are using low-band, mid-band or high-band spectrum or a combination of all three. It is hard to answer that question in generalities.
A number of different component technologies and architectures will be rolled out over time. At a high level, the real advantage of 5G compared with 4G is in its flexibility. It is able to tailor its connectivity to a number of different applications’ needs. It can offer extremely high throughput and much faster speeds. It is very reliable, with very low latency. For example, if you want to stream a football match while travelling on a train, it can do that quite well, or quite a bit better than LTE and 4G today. At the same time, you can also change very obscure technical parameters to make for simple communications that require very little battery on the device side to be able to communicate. If you want to have massive deployments of sensors for smart agriculture, or something like that, that have battery life in the order of decades, it can do that. The hallmark is its flexibility.
Given that flexibility, it is anticipated that 5G is going to be much more deeply integrated within the economy and trade sectors, and will be a key tool to boost productivity. There is an important hope that we see a broad deployment, not just in urban areas but in rural areas. Again, I go back to that note on differences depending on the spectrum that is used to deploy—unless it is of interest, I do not want to get too bogged down in the details, but there are real differences in what we would expect to see deployed in urban versus rural areas. But, again, we would also expect to see very different use cases in those areas. Admittedly, there will likely be a performance difference between urban areas and more rural areas. But at the same time, like I said, the use cases look very different—you are not likely to have massive crowds of people all looking to share video from a stadium or something like that in rural areas. There will be a real difference in the roll-out, but I worry that sometimes the challenges with that have been overstated.
Doug Brake: That is a great question. We talk now about needing diversification and seeking entry of a US-UK equipment supplier, but the question and lessons from history are about why we need this in the first place. In the past, we had quite successful telecommunications supply companies, especially in the US. The president of our organisation, Rob Atkinson, set out to answer that question. You may have seen an article in the American Affairs journal, titled, “Who Lost Lucent?” It is a long and interesting article—I will not go into all the details of history. I would say that it is fair to characterise the failures and decline of Lucent as a complicated story, but it stems from a combination of unique challenges imposed by the Anglo-American economic system, systemic failures of US Government policy—particularly with regards to anti-trust and some of the regulatory policy throughout the 1990s—and very strong and aggressive foreign industrial policies, particularly with regards to China, to acquire market share.
I am happy to go through that in some detail, but feel free to cut me off if I go on too long. You are absolutely right to say that we had Lucent and Nortel. Lucent was absolutely massive—it was three times larger than Nortel—and originally spun off from AT&T’s equipment arm, Western Electric. It had the famous Bell Labs. Throughout the ’90s, it was the largest telecoms equipment company and was still growing dramatically overseas, but due to a number of strategic decisions within the company and decisions within the US Government, it ended up really suffering as a result of the dot.com bubble.
Setting aside all the competitiveness questions, particularly with regards to Chinese companies, a hands-off, free market globalised system reigned in the US and UK throughout the ’90s. It was finance-focused capitalism that saw Lucent and Nortel cut their R&D budgets and staff dramatically, particularly as a result of the 2001 crash—much more so than some of their international competitors. With that financial system, it was harder for those companies, which were designed to be growth companies—much more so than a valued company. They were focused on growing quarter after quarter and meeting their financial targets, which made it very difficult to focus on long-term growth. You can contrast that with Ericsson in Sweden, where the Wallenberg family control a lot of the voting shares. Ericsson was able to focus on much longer-term value creation, and they did not cut staff or R&D by nearly as much as Lucent did.
Before that, I think there are a lot of lessons to be learned from the aggressive anti-trust action that broke up Bell Labs and restructured the entire industry. Up until the restructuring of the US telecom market in 1984, Bell Labs had a fantastic situation in order to generate innovation. It had the commercial drive, focus and flexibility that is often lacking in a Government research lab. It also had a long-term focus and an interest in broad technological change, which many R&D efforts in industry do not see. It had steady revenue from telecom rates. There is a complicated story there. It is hard to tell what concentration is good for innovation and where competition is really the order of the day, but it seems clear that the decline of Bell Labs was a real loss.
Doug Brake: Absolutely. I think the diversification strategy is a very strong document. I would say, when it comes to open RAN generally, there are clear benefits that you have heard a lot about, I am sure, including diversification and faster innovation when software is decoupled from hardware. Generally, lower margins on generic components eliminate the risk of the entire sector tipping to a single vendor or a gradual narrowing of trusted suppliers, but there are real challenges with this process. Again, this is going to be a gradual effort. There is not a need to transition immediately.
First, there is a real risk of bandwagoning, where this is seen as a silver bullet and even companies that might not be interested in pursuing this area, such as Nokia and Ericsson, are willing to join in these efforts, even if it is just for the sake of defence. So, there is a real risk of bandwagoning. There is real complexity with transitioning to this sort of system. It is not immediately clear how well open RAN will scale. Actual implementation at scale in urban areas is adding a tremendous amount of complexity. There is a much larger attack surface. It is worth keeping in mind SolarWinds, a US company trusted by many within the Government, which saw this massive damaging breach.
I think there is a real challenge that remains to be addressed in the manufacturing of stand-alone radios. I think that is a potential opportunity for real co-operation: identifying companies that are interested in focusing purely on radio. There is still hardware that needs to be provided that historically was integrated with the broader system, when you only have relatively small providers that are interested in scaling up manufacturing.
I am just going to interrupt you there. I am sorry, but I am conscious of time and I want to give the Minister a fair opportunity.
Doug Brake: I think there are two different opportunities. First, in the efforts of diversification, this is necessarily a globalised sector. The incumbents are massive companies with huge global economies of scale, so in order to transform the industry structure, it is going to have to be a global effort. We need all the countries aiming in this general strategic direction.
I think the document is sufficiently forward leaning. At a high level, one of the most important first steps is identifying this as a strategic imperative—that this is a goal that is shared by Governments across the world—and taking a genuine interest and focus, especially on the level of venture capital investment. Just the creation of the document is a hugely important first step. As for continued research, the real focus is on research and development and test beds. They are the key tools that we need to test and scale up, to identify real challenges and complexity.
I am not sure if this quite fits the answer, but there is a challenge around systems integration. We need to identify real leaders in systems integration. When you have real risk in pulling together different components from different suppliers, into what is essentially critical infrastructure, the risk of failure—at least, the downsides of failure—is extreme, so operators are often eager to have a single company that they can go to if something goes wrong, which can integrate all the different components. There is an important opportunity, to the extent that policy can help support those efforts.
There is all sorts of opportunity for global collaboration and for rowing towards the direction of this diverse supply chain. I think you have put together a very thoughtful piece in moving that forward. Then again, I go back to saying that this is not a silver bullet in addressing the long-term challenges around innovation mercantilism from China and Chinese companies. I think there should be more co-ordination and collaboration, especially when it comes to trade policy. Again, this is outside my area of expertise—I am 5G, specifically—but the more we can co-ordinate to be honest and up front about the real challenges and work to scale back the problem, the better.
Doug Brake: I think that this is absolutely the right direction to be moving in. Clearly, you need the tools to be able to analyse the risk, identify high-risk vendors and work away from potential security risks associated with that. So, absolutely, you need the tools, but there is always a broad challenge when it comes to cyber-security of the negative extra challenges, where private-sector providers might not always face all the downside of cyber-security breaches.
You can solve that by increasing the cost and increasing the downside to cyber-security risk. I think it is much wiser to help work with Government to lower the cost of doing cyber-security well. The UK, from what I can tell, is a real leader in this regard, setting up NCSC. To be able to work closely the private sector, to identify those risks and eliminate them, is much better than just turning up the dial on the downside to cyber-security breaches, or things of that nature.
I would tweak the Bill in that direction. I guess much of this can be done through implementing regulations, but, to my mind, focus more on collaboration and co-ordination with the private sector, rather than simply increasing the downside as well as the compliance costs with the legislation.
I think that brings us virtually to time. Thank you, Mr Brake, for your evidence. That was the final evidence session for the Bill, so I thank all the witnesses. The Committee meets again on Thursday morning for line-by-line consideration. I believe that will be at 11.30 am in Committee Room 14.
Ordered, That further consideration be now adjourned. —(Maria Caulfield.)
Adjourned till Thursday 20 January at half-past Eleven o’clock.
Written evidence reported to the House
TSB 07 Simwood eSMS Ltd
TSB 08 Dr Louise Bennett, Director, Digital Policy Alliance