» ISP News » 

Government Creates Security Framework for the UK Telecoms Sector

Tuesday, July 23rd, 2019 (8:14 am) - Score 2,096
wifi multiple computers tablets smartphone devices

The Government has concluded its Telecoms Supply Chain Review and plans to establish new Telecoms Security Requirements, which will be underpinned by a legislative framework that hands stronger enforcement powers to Ofcom in order to “protect” UK full fibre (FTTP) broadband and 5G networks from threats. But no decision on Huawei.

At the root of all this is a concern that some fixed line and mobile networks have become too dependent upon hardware and software solutions from countries such as China. In particular companies like Huawei have frequently been linked by various governments and their intelligence agencies to significant security concerns, although the exact details of all this remain somewhat opaque (here).

Nevertheless enough concern clearly exists for various countries to have already placed restrictions upon certain Chinese technology companies, particularly those that have been supplying core network kit to major telecoms operators. The UK itself has been warning operators, such as BT and many others, for years about the risk of depending on such kit (here) and has already told them not to use any from ZTE (here).

The situation with Huawei is more complicated because they have long been working alongside the Government to mitigate any perceived risks arising from their involvement in parts of the UK’s critical national infrastructure. On the other hand rising pressure from the USA has been nudging countries to take a tougher stance, albeit with significant consequences for the global supply chain (here).

Similarly the Huawei Cyber Security Evaluation Centre (HCSEC) recently said that “further significant technical issues” had been identified in the company’s engineering processes, leading to “new risks in the UK telecommunications networks.” At the same time it also said that “no material progress has been made by Huawei in the remediation of the issues reported last year.”

Earlier this year the outgoing UK Prime Minister, Theresa May, proposed to ban Huawei from the core of UK telecoms networks but leave non-core aspects (masts, street cabinets etc.) untouched (here). The final decision was expected to be unveiled as part of Telecoms Supply Chain Review but that has now been delayed, which is due to the uncertainty around the position of the USA (President Trump recently proposed to relax his ban as part of on-going trade negotiations with China but it’s unclear precisely what will happen).

In the meantime the review has proposed to establish new Telecoms Security Requirements, which will pursue a “three lines of defence” (see below) approach in relation to managing the security risks posed by vendors in both hardware and software.

Proposal for the Telecoms Security Requirements

• Require operators to subject vendors to rigorous oversight through procurement and contract management. This will involve operators requiring all their vendors to adhere to the new TSR;

• Require operators to work closely with vendors, supported by Government, to ensure effective assurance testing for equipment, systems and software, and support ongoing verification arrangements; and

• Impose additional controls on the presence of certain types of vendors which pose significantly greater security and resilience risks to UK telecoms. In considering what those controls should be, it is necessary to address the identified security risks, whilst seeking to minimise the costs to industry and the wider economy (as above, the final decision on such controls has been delayed).

The review claims that the TSR will “incentivise Huawei” to address the systemic engineering failures identified in the Oversight Board reports (HCSEC). Measures to equalise cyber security standards across vendors should also make it harder for a vendor to enjoy competitive advantage at the expense of security.

Moreover, operators who continue to use individual high risk vendors will be required to demonstrate to Ofcom and Government that they have put in place appropriate architectural controls and other measures to address the identified risks. The TSR will also require effective assurance testing and ongoing management of vendor equipment.

Jeremy Wright, Digital Secretary, said:

“The UK telecoms sector must prioritise secure and safe networks for consumers and business. With the growth of our digital sector and transformative new services over 5G and full fibre broadband in the coming years, this is not something to compromise on. People expect the telecoms sector to be a beacon of safety and this review will make sure that safety and security is at the forefront of future networks.”

The Government and Ofcom will next consult with industry on the new requirements before finalising the TSR, although until that’s ready they intend to “work with all telecoms operators to secure adherence to the new requirements” on a voluntary basis. The responsibility for the national security aspects of the TSR will rest with Government.

The difficulty for telecoms operators is that Huawei makes very good and affordable kit. A lot of operators and broadband ISPs had already planned to work closely with the Chinese firm in order to deploy new networks (e.g. 5G and fibre) and any new restrictions would thus impact their plans (i.e. the potential for much higher costs, worse performance and significantly slower roll-out), although today’s delay may be taken as a green light by some to continue deploying related kit.

Huawei itself has already strongly denied the accusations and in a public letter posted earlier this year said, “Huawei has never and will never use UK-based hardware, software, or information gathered in the UK or anywhere else globally, to assist other countries in gathering intelligence. We would not do this in any country.”

On the other hand critics of the company often point toward China’s new National Intelligence Law, which was passed in 2017 and demands that organisations “support, co-operate with and collaborate in national intelligence work.” Critics say the absence of true democracy in China might thus make it very difficult for any company to refuse such a request, although the UK’s own IPAct isn’t exactly a saint in this department either.

In the end it’s virtually impossible for ordinary folk to judge such things as the crucial detail is a secret matter for the intelligence agencies and we wouldn’t be so bold as to assume we know better. On the other hand it’s worth remembering that no hardware and software is 100% secure, there will always be flaws that can be exploited no matter where it comes from.

Ofcom has agreed to (TSR):

• Include the finalised TSR, where appropriate, in its industry guidance, and use that to engage industry to understand supply chain risks and the arrangements adopted by operators to mitigate them;

• Engage industry as part of their Security and Resilience Assurance Scheme to gain regular updates on operators’ major supplier arrangements and TSR compliance plans, including how they are being dealt with at Board level;

• Where there is reason to suspect that conduct may also be a breach of a provider’s security and resilience obligations, use its current information gathering and audit powers to investigate suspected breaches of the TSR;

• Encourage providers to participate in Ofcom’s threat intelligence-led penetration testing scheme (TBEST) and, subject to third party contract arrangements, test operators’ vendor specific arrangements. Subject to any applicable restrictions on the disclosure of information, Ofcom would also aim to share thematic findings across the sector to support a culture of continuous improvement; and

• Increase analysis and reporting on network security and resilience.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
Mark Jackson
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
0 Responses

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Superfast ISPs
  • Hyperoptic £19.95 (*22.00)
    Avg. Speed 50Mbps, Unlimited
    Gift: £50 Gift Card
  • Post Office £20.90 (*37.00)
    Avg. Speed 38Mbps, Unlimited
    Gift: None
  • SSE £22.00
    Avg. Speed 35Mbps, Unlimited (FUP)
    Gift: None
  • xln telecom £22.74 (*47.94)
    Avg. Speed 66Mbps, Unlimited (FUP)
    Gift: None
  • Vodafone £22.95
    Avg. Speed 35Mbps, Unlimited
    Gift: None
Prices inc. Line Rental | View All
The Top 20 Category Tags
  1. BT (2651)
  2. FTTP (2456)
  3. FTTC (1722)
  4. Building Digital UK (1662)
  5. Politics (1541)
  6. Openreach (1511)
  7. Business (1324)
  8. FTTH (1230)
  9. Statistics (1153)
  10. Mobile Broadband (1127)
  11. Fibre Optic (1019)
  12. Ofcom Regulation (972)
  13. 4G (972)
  14. Wireless Internet (971)
  15. Virgin Media (934)
  16. EE (648)
  17. Sky Broadband (639)
  18. TalkTalk (618)
  19. Vodafone (599)
  20. 3G (437)
New Forum Topics
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact