The recently approved Telecommunications (Security) Bill will give the UK government new powers to enforce the country’s new security standards and “remove the threat of high-risk vendors”.
Specifically, the bill is concerned with the previously announced restrictions places on operators in the development of its 5G and full fibre networks, this includes the provision of equipment and software used for mobile masts and in telephone exchanges which handle internet traffic and telephone calls.
“We are investing billions to roll out 5G and gigabit broadband across the country, but the benefits can only be realised if we have full confidence in the security and resilience of our networks,” said Oliver Dowden (pictured), the UK’s Digital Secretary.
“This ground-breaking bill will give the UK one of the toughest telecoms security regimes in the world and allow us to take the action necessary to protect our networks.”
Announced back in July, Dowden said that mobile operators will be banned by law from adding Huawei equipment to their 5G networks by the end of 2020. Adding that they would also be required to remove all existing equipment from 5G networks by 2022 – citing national network security as the reason for this decision.
Commenting on the news, Victor Zhang, president of Huawei, said: “’It’s disappointing that the Government is looking to exclude Huawei from the 5G roll out. This decision is politically-motivated and not based on a fair evaluation of the risks. It does not serve anyone’s best interests as it would move Britain into the digital slow lane and put at risk the Government’s levelling up agenda.”
In addition to the aforementioned fines for operators who fail to comply with the vendor ban, the bill also enables the Government to impose controls on telco’s use of goods, services or facilities supplied by high risk vendors.
Ofcom has been placed in charge of “monitoring and assessing” the security of UK telco’s with additional powers to do so and thanks to this new bill, enters these rules into law and enables the future management of such risk from future high-risk vendors.
“While this legislation crystalizes the penalties and locks the government's advice in a legal framework, if it is aimed at Huawei then I think the damage had already been done,” said Jimmy Jones, Cyber Security Telecoms expert at Positive Technologies.
“The uncertainty has meant mobile operators have already had to plan for the foreseeable future without Huawei and this just makes any re-entry to the market even less likely for the company. What is really interesting here, is the law is establishing the operator’s security responsibility beyond the exclusion of certain vendors, to network security as a whole.”
“The new fines announced today for operators that are not meeting standards are another major financial incentive to get security in order. The security obligations - which include rules on who has access to sensitive parts of the "core" network, how security audits were conducted, and protecting customer data - will force operators to improve their security protection for the whole network rather than just 5G.”
At present, UK telcos by law are responsible for setting their own security standards in their networks however following the Telecoms Supply Chain Review completed by the government last year “providers often have little incentive to adopt the best security practices”.
“The roll-out of 5G and gigabit broadband presents great opportunities for the UK, but as we benefit from these we need to improve security in our national networks and operators need to know what is expected of them,” added Dr Ian Levy, Technical Director of National Cyber Security Centre.
“We are committed to driving up standards and this bill imposes new telecoms security requirements, which will help operators make better risk management decisions.”
As a result, the government has decided to strengthen the overall legal duties of UK telcos as a way of incentivising better security practices with steps taken to put in place security standards for its networks.
These requirements will follow in a second piece of legislation but will likely include such things as controlling who has permission to access sensitive core network equipment on site as well as the software that manages networks, as well as securely design, build and maintain sensitive equipment in the core its networks.
Additionally, the government has also announced plans to publish its 5G Diversification Strategy which will “outline new measures to boost competition and innovation in the telecoms supply chain and reduce dependence on individual suppliers”.