The Government will today publish their Telecommunications (Security) Bill, which imposes new rules to improve the security of UK networks (mobile and broadband) and ban “high risk vendors” like Huawei, while also threatening fines of up to £100k a day (or 10% of turnover) against operators that fail to meet the standard.
Just to recap. Back in July 2020 the government confirmed that it intended to ban “high risk vendors” from future deployments of 5G mobile technology (here), which followed various US sanctions and security concerns around the role of Chinese firm Huawei in UK networks. Sadly, this move is also expected to delay completion of the 5G rollout by 2-3 years and add costs of up to £2bn to operators (e.g. BT (EE) expects to take a £500m hit).
Meanwhile a different approach is expected to be taken for “full fibre” (FTTP) and older fixed broadband networks, which can also use Huawei’s kit. The Government are already advising FTTP operators to “transition away from purchasing new Huawei equipment” and they expect this period to last “no longer than two years,” although exact details will depend upon the outcome of a technical consultation (removing existing FTTP kit, which might include ripping old ONTs off walls, would be particularly difficult without causing disruption for consumers).
Advertisement
However, the Government’s bill is about more than just Huawei. In particular, it imposes new legal duties on telecoms firms to increase the security of UK networks, limit the damage of any breaches and hands new responsibilities to Ofcom, which will be required to monitor operators’ and their security practices. Fines worth up to 10% of turnover or £100,000 a day could be tabled against operators that fail to meet standards.
The new powers will give Ofcom the ability to carrying out related technical testing, interview staff, and enter operators’ premises to view equipment and documents etc.
New Telecoms Security Requirements (Draft)
Telecoms operators must:
— Securely design, build and maintain sensitive equipment in the core of providers’ networks which controls how they are managed;
— Reduce the risks that equipment supplied by third parties in the telecoms supply chain is unreliable or could be used to facilitate cyber attacks;
— Carefully control who has permission to access sensitive core network equipment on site as well as the software that manages networks;
— Make sure they are able to carry out security audits and put governance in place to understand the risks facing their public networks and services; and
— Keep networks running for customers and free from interference, while ensuring confidential customer data is protected when it is sent between different parts of the network.
Admittedly there’s no shortage of irony in a Government, which over the past few years has seen plenty of its own security lapses, trying to dictate the security practices for UK telecommunications operators. At this point it’s also worth remembering that there’s no such thing as 100% security and a cunning hacker, or state sponsored espionage, will often be able to find a way around even the best defences.
Otherwise, the new approach essentially ends the era of industry self-regulation, which partly occurs because last year’s Telecoms Supply Chain Review found that providers often have “little incentive to adopt the best security practices” (e.g. see TalkTalk’s 2015 security breach for an example).
Advertisement
Oliver Dowden MP, UK Digital Secretary, said:
“We are investing billions to roll out 5G and gigabit broadband across the country, but the benefits can only be realised if we have full confidence in the security and resilience of our networks.
This groundbreaking bill will give the UK one of the toughest telecoms security regimes in the world and allow us to take the action necessary to protect our networks.”
Dr Ian Levy, NCSC Technical Director, said:
“The roll-out of 5G and gigabit broadband presents great opportunities for the UK, but as we benefit from these we need to improve security in our national networks and operators need to know what is expected of them. We are committed to driving up standards and this bill imposes new telecoms security requirements, which will help operators make better risk management decisions.”
The final security requirements won’t be detailed in today’s bill and are instead due to be set out in secondary legislation (the government has promised to consult with the industry before tabling this). New codes of practice will also be required to help demonstrate how certain operators will be expected to comply with their legal obligations, but these will only be “published once the Bill has received Royal Assent” (possibly sometime late next year).
Colin Lees, Openreach Chief Technology and Information Officer, said:
“The security of our network and our customers’ networks has always been our first priority, with robust controls, testing, and design principles in place for all equipment and software. We’re well underway with our multi-vendor strategy having introduced Nokia a year ago and more recently Adtran as strategic equipment suppliers for our nationwide FTTP build.
We’re looking forward to working with the Government as these measures are implemented to ensure that they support the delivery of secure nationwide full fibre networks.”
Hamish MacLeod, Director at Mobile UK, said:
“Network security and resilience have always been a top priority for the UK’s mobile network operators. We support the framework for the Telecoms Security Bill and will continue to work closely with the Government to ensure the objectives of the Bill are fulfilled and to build on the already robust security measures mobile operators have in place.”
Meanwhile the Government has already established a new Telecoms Diversification Task Force, which is being led by Ex-BT CEO and former trade minister, Lord Ian Livingston, that hopes to encourage new suppliers to enter the market (UK and EU mobile networks are currently dominated by kit from Ericsson or Nokia). One catch here is that any changes may arrive too late to have much impact upon the 5G rollout.
The changes could potentially also raise the cost and complexity for new entrants wanting to join the market, although such things are often unavoidable and focusing on the importance of network security is broadly a positive step. The real test will be whether or not this legislation actually does what it says on the tin and helps to improve network security in the UK, which beyond a certain point can be quite a difficult thing to judge.
UPDATE 25th Nov 2020
Advertisement
The Internet Service Providers Association (ISPA) has also commented.
Andrew Glover, ISPA Chair, said:
“Security and resilience have long been priorities for ISPs as secure and robust networks are at the heart of delivering fast and reliable broadband. The UK currently has high cyber security standards, and this new and updated telecoms security framework will build on this as the threat landscape continues to evolve.
ISPA will be working closely with our members and policymakers on the Bill so that it provides a clear and workable set of rules to further protect users, and gives clarity to our members who are upgrading the UK’s broadband infrastructure and connecting consumers and businesses throughout the UK.”
Who decides what is a “high risk vendor”? Is it simply the Secretary of State producing a list of barred vendors, which they can update at a whim?
I don’t think any *technical* expert has found evidence of Huawei equipment having spyware or backdoors, at least no more than any other vendor like Cisco.
Yes there’s of course that element of doubt to it. Sadly, we mere mortals can’t examine the substance of those security fears that surround Huawei because such issues are a matter for national security and intelligence agencies (i.e. they’re secret).
I wouldn’t be so bold as to assume I know better. However, you could equally say it seems unlikely that so many countries would be creating such a fuss if there wasn’t a serious concern, which has been going on since long before the current crop of leaders came to power.
Otherwise this is about as close as you’re going to get:
https://www.gov.uk/government/publications/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2020
That’s very interesting. It basically says that Huawei’s coding practices, engineering processes and lifecycle management are poor (e.g. using obsolete components). It also says explicitly: “NCSC does not believe that the defects identified are a result of Chinese state interference.”
It would be interesting to see what would happen if an equally powerful spotlight were shone on any of the other major vendors in this space, or indeed whether OFCOM is required (or even permitted) to perform such an in-depth audit of these other vendors.
If it acts as a cost on the Chinese government for causing a pandemic then at least its one thing our country has done to stand up to them.
This is a minor irritation to the Chinese Government. The real pandemic here is how the world has become so dependant on them for manufacture and supply from mundane items to the highest tech.
I’d be happier banning all Chinese imports of anything into the UK. Would send a far clearer message.
That would be like “The Day the World Stopped”. We simply need to wean ourselves off depending on people that do not share our values. We could start by not buying all these H112 and H818 routers.
If we are “going green” there is a lot to be said for a carbon barrier tax.
Essentially an import duty based on how dirty the production country is. Norway would be close to zero with all their HEP.
This will level manufacturing up a lot.
We have killed a lot of UK manufacturing with energy related green taxes & levies and other taxes so we can’t really compete in high energy production except where shipping costs or hyperlocal production swings the balance.
There is a lot less cost advantage to making things in China than there used to be so this would be a great way to onshore things and get China & India to clean up their industry and power production.
I can see this being the Biden way of applying pressure to China. They will hate it: they hate anything where they cannot just do as they please. Ultimately there won’t be much they can do about it as they depend on the west for the cash they need for the goods they produce so they cannot cut that off.
That is what I call levelling up IRL.
capslock error on the word ban 🙂
A serious allegation without equal level of proof to support, when it comes to China, how the sense has been lost? Such a sad
I dont think the ONTs would nee ripping out given teh same model is used on BT and TalkTalks network (Echolife) and both BT and TalkTalk use different suppliers for their GPONs?
OLT vendors aren’t known for supporting other OLT vendors’ equipment. If we’re scrapping Huawei, we need to move somewhere else, like Adtran or Nokia. Those vendors are looking at options to take on Huawei ONTs, but for now the support doesn’t exist, so you’d have to rip and replace ONTs.