Menu
UK Parliament

IT systems and infrastructure (2023)

Request

  1. Who provides your WAN and internet connectivity and the annual spend on each
  2. Who provides your SIP trunks and what is the annual spend
  3. Who provides your WAN services, is this MPLS, SD WAN or Internet, and what is the annual spend
  4. Who provides your LAN infrastructure and what is your annual spend
  5. Who provides your WIFI infrastructure and what is your annual spend
  6. Please confirm the manufacturer(s) of your wired network core and edge switching?
  7. When was your core network installed?
  8. Has it been updated subsequently?
  9. Who maintains your core network?
  10. When is the contract renewal date?
  11. Please confirm value of the initial project?
  12. Please confirm the value of annual support/maintenance services (in £)?

 

Response

Please note that whilst the House of Commons and House of Lords are two separate public authorities for the purposes of the Freedom of Information Act 2000 (FOIA), the information you have asked for in this instance is held bicamerally between the two Houses. Therefore, this response covers both Houses of Parliament.

1) Who provides your WAN and internet connectivity and the annual spend on each
2) Who provides your SIP trunks and what is the annual spend
3) Who provides your WAN services, is this MPLS, SD WAN or Internet, and what is the annual spend
4) Who provides your LAN infrastructure and what is your annual spend
5) Who provides your WIFI infrastructure and what is your annual spend
6) Please confirm the manufacturer(s) of your wired network core and edge switching?
and
9) Who maintains your core network?

This information is held by the House of Commons.

The House holds information on the annual spend of the services/infrastructure requested, and details of this are provided in the table below.

  Annual Spend
WAN £175,000 (inc VAT)
Internet connectivity £150,000 (inc VAT)
SIP Trunks £26,880 (exc VAT)
WAN Services £175,000 (inc VAT)
LAN and Wifi infrastructure £1,800,000 (inc VAT)

While we also hold information on the companies who provide these services/infrastructure, as well as the manufacturer of our wired network core and who maintains this, it is withheld from disclosure in accordance with sections 24 (national security) and 31 (law enforcement) of the FOIA. Further details about these exemptions are included below.

Section 24 – national security

We have concluded that withholding details of those who provide and maintain the IT systems requested is necessary for the purpose of safeguarding national security. This information is therefore exempt by virtue of section 24 FOIA. This is a qualified exemption and the public interest test applies.

We recognise that there is a legitimate public interest in disclosing details of those who provide IT systems to the House. As these systems are financed by the public purse, disclosure would allow the public to determine that the systems we use are appropriate, cost-effective and fit for purpose. Releasing these details may also help to provide the public with a greater understanding of our IT necessities, in turn providing them with greater insight into what is needed for Parliament to function in the current era.

However, we also recognise that there is a significant public interest in withholding these details. Our IT systems form part of the Critical National Infrastructure and has been identified as an asset which faces a high level of threat from cyber-attacks and which, if breached, would cause damage to the national infrastructure. These systems are used by MPs and their staff, as well as MPs in their capacity as Ministers, for the purposes of communication, scrutinising the work of the government and also in their parliamentary functions.
Disclosing the information requested however would be likely to compromise these systems and significantly increase the risk of them being subjected to cyber-attacks by both malicious groups and individuals. By disclosing the details of those who provide these systems would significantly increase the chance of them being targeted by hackers, as it would provide them with a means to breach and in turn compromise Parliament’s IT systems. In particular, disclosing details of these companies would make them more likely to be targeted with a supply chain attack, with any successful attack affecting the systems they provide to us in turn. Likewise, it would also tip off cyber-attackers on the systems we use specifically, in turn allowing these same malicious actors to more readily and specifically craft an attack against them, particularly via ransomware attacks. Furthermore, while some of these details may seem innocuous on their own, they could be used with either information from subsequent requests of this nature or public information which arises regarding flaws or exploits within the systems provided by these companies in order to more easily target our systems also (usually known as a mosaic effect).
Any breach of our systems could enable access to personal constituency data, and perhaps classified material, and could affect the ability of the House to carry out its business properly. It could also expose individuals to criminal activities who are linked through their work to government departments or other branches of the state, compromising national security as a result. As this information has the potential to compromise the fundamental systems of the House and by extension the functioning of government departments, and also to render them potentially vulnerable to cyber security threats, the wider public interest is therefore to favour non-disclosure in this instance.

For these reasons, we have concluded that the public interest in withholding the information outweighs the public interest in disclosure.

Section 31 – law enforcement

We also consider that disclosing the same information would be likely to prejudice the prevention or detection of crime and the apprehension of offenders. This information is therefore also exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified exemption and the public interest test applies.

As stated before, there is a general public interest in the transparency and accountability of this information. Providing further details about the IT systems and programs we use would further help to reassure the public that our systems is are priority for the work of Parliament and have been chosen and acquired in a sensible and appropriate manner. Likewise, as these systems have been financed from the public purse there is a public interest in being able to determine whether the systems and programs we use are sensible, cost-effective and fit for purpose.

We have also considered the public interest in withholding the information. As stated before, the release of this information, especially when used alongside other public information, would provide a significant advantage to malicious actors looking to launch attacks against our IT systems. Information on the companies who supply these services would be of a significant benefit to criminal or malicious groups and individuals as it would both allow them to target these companies directly via a supply chain attack, in turn possibly affecting their services and compromising our systems in turn, or to target systems they supply to us directly, particularly if any flaws/issues regarding these systems were public knowledge. As a result, this would significantly increase the risk of a successful attack against our IT systems. If hackers were able to access our systems, either in part or in full, they would then be able to disrupt the workings of Parliament for a political purpose or for its own sake, as well as also allowing them to hold these systems to ransom in order to extort them for financial gain, or to steal confidential information for the same purpose. Groups such as these are known to indiscriminately target public authorities, including the NHS, for disruption and profit, and disclosing this information therefore carries this risk.
The House has a duty to maintain cyber security practices, and it faces the same threats to cyber security as any other public authority. The release of this information would therefore hinder the prevention and detection of crime as it would give an advantage to cyber attackers looking to target the IT systems of the House, and in turn providing them an advantage which they would not gain were the information exempt from release instead.

In these circumstances therefore, it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

7) When was your core network installed?
and
8) Has it been updated subsequently?

This information is held by the House of Commons. Our core network was installed in 2017, and we can confirm that it has been updated subsequently since then.

10) When is the contract renewal date?

This information is held by the House of Commons. Our contract renewal date for services to maintain our core network is 2024.

11) Please confirm value of the initial project?

This information is not held by the House of Commons. This is because we only hold costs for these as part of a wider transforming infrastructure programme, and it is not possible to disaggregates the costs of the initial project from the costs we hold for the programme as a whole.

12) Please confirm the value of annual support/maintenance services (in £)?

This information is held by the House of Commons. The value of our annual support/maintenance services is £1,000,000 inc VAT in total.