Menu
UK Parliament

Telephony and Storage (2023)

Request

  1. Please confirm the manufacturer of your telephony system(s) that are currently in place
  2. When is your contract renewal date?
  3. Who maintains your telephony system(s)?
  4. Do you use Unified Communications or Collaboration tools , if so which ones?
  5. What Microsoft 365 license do you have across the business e.g. E3, E5
  6. Which partner looks after your Microsoft tenant?
  7. Where do you host your applications? Do you have on-premise infrastructure or do you host your applications in public or private cloud? Which?
  8. Does your organisation use on-premise or cloud storage or both?
  9. Please confirm the on-premise hardware manufacturer
  10. Please confirm your cloud storage provider
  11. What is your annual spend on cloud storage?
  12. How do you back up your data and with who e.g. Backup as a Service

 

Response

Please note that whilst the House of Commons and House of Lords are two separate public authorities for the purposes of the Freedom of Information Act 2000 (FOIA), the information you have asked for in this instance is held bicamerally between the two Houses. Therefore, this response covers both Houses of Parliament.

1) Please confirm the manufacturer of your telephony system(s) that are currently in place

This information is held by the House of Commons. Microsoft are the manufacturer of our telephony systems, which include Skype for Business and Microsoft teams. Polycom handsets are also in use by the House for these systems.

2) When is your contract renewal date?

This information is held by the House of Commons. The renewal date for the contract with our manufacturer is August 2023.

4) Do you use Unified Communications or Collaboration tools , if so which ones?

This information is held by the House of Commons. The House uses collaboration tools, specifically Microsoft teams and Slack.

6) Which partner looks after your Microsoft tenant?

This information is not held by the House of Commons. We do not hold any information for this part of your request.

8) Does your organisation use on-premise or cloud storage or both?

This information is held by the House of Commons. The House uses both on-premises and cloud storage.

10) Please confirm your cloud storage provider

This information is held by the House of Commons. The House uses Microsoft Azure and Amazon Web Services (AWS) as our cloud storage providers.

3) Who maintains your telephony system(s)?
5) What Microsoft 365 license do you have across the business e.g. E3, E5
7) Where do you host your applications? Do you have on-premise infrastructure or do you host your applications in public or private cloud? Which?
9) Please confirm the on-premise hardware manufacturer
11) What is your annual spend on cloud storage?
and
12) How do you back up your data and with who e.g. Backup as a Service

While the House holds information relevant to these parts of your request, it is withheld from disclosure in accordance with sections 24 (national security) and 31 (law enforcement) of the FOIA. Further details about these exemptions are included below.

Section 24 – national security

We have concluded that withholding information about the specific IT systems and processes requested is necessary for the purpose of safeguarding national security. This information is therefore exempt by virtue of section 24 FOIA. This is a qualified exemption and the public interest test applies.

We recognise that there is a legitimate public interest in disclosing details of IT programs and systems used by the House. As these systems are financed by the public purse, disclosure would allow the public to determine that the systems we use are appropriate, cost-effective and fit for purpose. Releasing these details may also help to provide the public with a greater understanding of our IT necessities, in turn providing them with greater insight into what is needed for Parliament to function in the current era.

However, we also recognise that there is a significant public interest in withholding these details. Our IT systems form part of the Critical National Infrastructure and has been identified as an asset which faces a high level of threat from cyber-attacks and which, if breached, would cause damage to the national infrastructure. These systems are used by MPs and their staff, as well as MPs in their capacity as Ministers, for the purposes of communication, scrutinising the work of the government and also in their parliamentary functions. Disclosing the information requested however would be likely to compromise these systems and significantly increase the risk of them being subjected to cyber-attacks by both malicious groups and individuals. In particular, disclosing specific details of these systems and our annual spending would be extremely useful to an attacker looking to craft a targeted attack against the parliamentary network.
Disclosing details of the organisation who maintains our telephony system for instance would in turn make the system more susceptible to a supply chain attack, while details of the Microsoft 365 license we use would show the level of security monitoring we have in place, allowing malicious actors to more readily target construct an attack in order to target our systems. Likewise, detailing where we host our applications, our on-premise hardware manufacturer as well as how we back up data and with whom would have the same effect, particularly for malicious actors looking to target our systems via ransomware attacks. Lastly, details on our annual spend would show the level of service and support we have in turn allowing potential cyber-attacks to more readily determine the level of attack needed to launch a successful cyber-attack against our cloud storage, significantly compromising it in turn.
Furthermore, while some of these details may seem innocuous on their own, they could be used with either information from subsequent requests of this nature or public information which arises regarding flaws or exploits within the systems we use in order to more easily target our systems as a result (also known as a mosaic effect).

Any breach of our systems could enable access to personal constituency data, and perhaps classified material, and could affect the ability of the House to carry out its business properly. It could also expose individuals to criminal activities who are linked through their work to government departments or other branches of the state, compromising national security as a result. As this information has the potential to compromise the fundamental systems of the House and by extension the functioning of government departments, and also to render them potentially vulnerable to cyber security threats, the wider public interest is therefore to favour non-disclosure in this instance.

For these reasons, we have concluded that the public interest in withholding the information outweighs the public interest in disclosure.

Section 31 – law enforcement

We also consider that disclosing the same information would be likely to prejudice the prevention or detection of crime and the apprehension of offenders. This information is therefore also exempt by virtue of section 31(1)(a) and (b) FOIA. This is a qualified exemption and the public interest test applies.

As stated before, there is a general public interest in the transparency and accountability of this information. Providing further details about the IT systems and programs we use would further help to reassure the public that our systems is are priority for the work of Parliament and have been chosen and acquired in a sensible and appropriate manner. Likewise, as these systems have been financed from the public purse there is a public interest in being able to determine whether the systems and programs we use are sensible, cost-effective and fit for purpose.

We have also considered the public interest in withholding the information. As stated before, the release of this information could potentially be used, along with other public information, to launch attacks against our IT systems and equipment. It would be of a significant benefit to criminal or malicious groups and individuals as by being aware of the systems we use it would allow them to target these directly, particularly if any flaws/issues regarding these systems were public knowledge. Details of certain systems also, as well as our spend on cloud storage, would be provide these same groups with valuable information on the extent of both our systems and the cyber security we have in place for them, in turn allowing them to more readily construct cyber-attacks against them. As a result, this would significantly to increase the risk of a successful attack against our IT systems. If hackers were able to access our systems, either in part or in full, they would then be able to hold these to ransom in order to extort them for financial gain, or to steal confidential information for the same purpose. Groups such as these are known to indiscriminately target public authorities, including the NHS, for disruption and profit, and disclosing this information therefore carries this risk.

The House has a duty to maintain cyber security practices, and it faces the same threats to cyber security as any other public authority. The release of this information would therefore hinder the prevention and detection of crime as it would give an advantage to cyber attackers looking to target the IT systems of the House, and in turn providing them an advantage which they would not gain were the information exempt from release instead.

In these circumstances therefore, it is our view that the public interest in maintaining the exemption outweighs the public interest in disclosing the information.