My Lords, the Product Security and Telecommunications Infrastructure Bill is another snappy portmanteau Bill from this department—or perhaps I should say, in sporting parlance and in deference to the department, it is legislation in two halves. As we heard from the Minister, it is the second half that has attracted most attention in the Commons and, frankly, from the various lobbying organisations—and it is easy to understand why. Bringing connectivity to a reasonable level across everywhere in the United Kingdom is an aim I am sure all noble Lords share in this House, as do all the MPs at the other end. However, as the Minister alluded to, there are balances that need to be brought into play when we bring this objective forward.
I shall start with the first part of the Bill, the security bit. As the Minister outlined, it is designed to enable us to face up not just to the present but to the internet of things or the network of everything, safe in the knowledge that our appliances are safe from hacking. It is not a future problem, as the Minister outlined: it is with us here and now. The consumer organisation Which? very clearly brought this to bear. It tested a range of devices, from baby monitors to smart speakers, with its ethical hackers and found 37 vulnerabilities with those test devices, including at least a dozen rated as “very high risk” and one as “critical”.
At the heart of this problem is that some of these products may have had inadequate security against threats in the first place, or that they have not been effectively upgraded by the manufacturer during the life of the product, which is why they are at risk of being hacked, as the Minister well knows. The Bill is supposed to make provision to enable the Government, via regulations, to require manufacturers, importers and distributors to make sure that their consumer-connectible products meet some minimum standard of cyber requirement before they are placed on the market. This is the problem that I face with the Bill: the majority of this part of it will come through secondary legislation, so it is hard to see at this point the Government’s objective for consumer rights.
I have looked through the Bill—I have tried very hard—and neither the Long Title nor the text of the Bill sets out what a consumer might reasonably expect from consumer-connectible products in their house. What might they be able to expect through the life of that product in terms of security and hacking? Assuming that there is no such thing as absolute security, following the implementation of the Bill and all its, as yet, unseen statutory instruments, what level of security should the UK consumer reasonably expect for their household, and what is their recourse in the event that that is not met?
The Government’s response appears to be a sort of micromanaging process—for example, as the Minister set out, mandating password protocols. The Government are, in essence, pitching the ingenuity of the department and the support that the department gets against the ingenuity of the criminals and hackers and, to a large extent, micromanaging how those device manufacturers respond to that threat. In a sense, that absolves them of being the innovators; it absolves the manufacturers of responsibility for delivering a security rather than meeting a requirement set out in a statutory instrument. In short, they will need only to follow the letter of the process that the department comes up with through its statutory instrument rather than deliver a level of security. In the view of this Bench, there ought to be a minimum standard of security that consumers can expect. From our perspective, we are looking at the wrong end of the telescope with this legislation. At the very least, there should be an up-front clause that sets out what that minimum expectation should be. Then, rather than micromanaging it, it would be up to the supply chain to deliver security, which would be a legal expectation.
That takes us to the subject of policing. Assuming that the Bill stays as it is, I am interested in Chapter 3, on enforcement. Once again, the meat of this provision awaits secondary legislation. The Secretary of State is responsible for enforcement, but it is not clear to me how she will do it. Perhaps the unit will do this and perhaps a new unit will be set up in the department. Could the Minister explain how enforcement will be managed in light of the 20% reduction in departmental head count being enforced on all departments by the Chancellor of the Exchequer? There will be 20% fewer people to do, yet again, a bigger job. Unless the Minister can set out a plan for enforcement, it is safe to assume that consumers in fact will not be safer when the Act comes into play.
Turning to the infrastructure part, as the Minister said, the Government’s commitment is for there to be a minimum of 85% gigabit-capable broadband by 2025. The Levelling Up White Paper of course talks about maximum coverage later on. The Minister talked about there being 100% coverage as soon as possible. What does that mean in reality—or does it mean nothing? The Minister also spoke about a majority of the country having 5G by, I think, 2027. Does that mean 51% or a larger number? There are lots of parts of the country still chasing 4G, never mind 5G. Can the Minister use this Second Reading to update us further about—and perhaps set out in writing—where the country is in implementing both gigabit and 5G
across the whole country, rather than use a percentage? To give a percentage of users is slightly misleading because there are less well-populated areas where users remain very much underserviced. I also ask the Minister to update your Lordships’ House on progress in eliminating Huawei hardware from the 5G network. We are interested to know where that is going and when it might be achieved.
As I expected, the Minister portrayed this legislation as a vital piece in meeting the installation target but, before we get to that, can he tell us how the other pieces are going? As I have said, my recent travels to Devon, Cornwall and my home county of Herefordshire indicate that network coverage remains poor at best and is sometimes not there at all. Given that these are some of the more rural parts of the United Kingdom, I take that to be the standard that most rural communities are surviving through. What extra is being done to get better coverage in these places, rather than focusing on the big numbers—the big conurbations, cities and towns? To date, the evidence suggests that this is not successful. It seems to me that the issues in the Bill are not the issues preventing this happening.
The Bill is about access—I think the Minister was a Whip at the time of the last pass on this. Somewhere in the dog days between two of the Covid lockdowns, my noble friend Lord Clement-Jones and I were climbing through the niceties of multiple-occupancy access and wayleaves in the then Telecommunications Infrastructure (Leasehold Property) Bill—another of the Minister’s snappy Bills. Perhaps this should be the starting point. The Minister mentioned it today but, taking that previous Bill as a template, when it comes to access, what worked and what did not work? I get a sense that access is piece of string that the telecoms operators will keep on pulling for ever, so what has sparked this new Bill, and what did not work under the previous ones? Their briefings seek to raise this as a key issue, but is that really the case? Is the lack of access that I described earlier the overwhelming impediment to the rate of installation, or is it something else? Is it perhaps the rate of investment, the skills available or the capacity to do so many projects overall? I suggest that all three are key elements in the rate at which the installation we need is happening. Can the Minister balance those issues with the issue of access, which is the only issue being addressed in the Bill?
Changing access regulations is also an opportunity to drive down costs. If they are being passed on to consumers, that is no bad thing—but are they? Speed Up Britain, a cross-industry organisation, is campaigning for the Government to close the loopholes—very much in the way that they are—and points to benefits. Other campaigners highlight a potentially catastrophic drop in income faced by local community organisations and local authorities in the rent-to-host infrastructure, such as mast licences, which was caused by the last Bill and will be further enshrined by this Bill; those campaigners estimate up to a 90% drop in income. In a meeting, the department puts the fall at around 60% to 65%. Either way, this is a big fall in income for, say, a local football club.
So who is benefitting from the drop in operational costs? Many of the mobile towers are now owned and operated by towercos which sit between the landowners
and the telcos. I suspect that changes in the use of shared apparatus, as heralded by this Bill, will drive more of that intermediate role for towercos or similar. Are these towercos passing the savings through? To date, I think it is very hard to see that consumers have seen any benefit from that fall in cost.
The other delicate balance that has to be weighed carefully is the role of BT Openreach and the need to foster genuine competitivity across the sector, rather than having a collection of niche operators and a 500-pound gorilla. Can the Minister please tell your Lordships’ House how the market for full-fibre and gigabit-capable broadband is currently split, and what analysis his department has of how that will be affected or otherwise by this Bill? There is a possibility that the nature of the changes proposed in the Bill will disproportionately benefit the dominant player in the market, so that analysis will be very important.
As we have said, there are two parts to the Bill: there is a serious danger that the second half activates a series of unintended consequences, while I fear that the principal danger in the first half is that it has very little consequence at all. We look forward to working with the Minister on improving the Bill in Committee.
3.42 pm