|The UK seeks to remake its telecommunications sector, especially its security and supply chain risk aspects.|
The government of Prime Minister Boris Johnson has released its telecommunications legislation that would delineate the United Kingdom’s (UK) approach to managing “high risk” companies such as Huawei. The Telecommunications (Security) Bill would reform how the UK regulates the security practices of telecommunications providers like Vodafone and also address risks to the nation’s telecommunications system.
The genesis of the legislation was the 2018 UK Telecoms Supply Chain Review, an inquiry launched “to address three key questions:
- How should we incentivise telecoms providers to improve security standards and practices in 5G and full fibre networks?
- How should we address the security challenges posed by vendors?
- How can we create sustainable diversity in the telecoms supply chain?”
A year later, the UK government “identified three areas of concern:
- Existing industry practices may have achieved good commercial outcomes but did not incentivise effective cyber security risk management.
- Policy and regulation in enforcing telecoms cyber security needed to be significantly strengthened to address these concerns.
- The lack of diversity across the telecoms supply chain creates the possibility of national dependence on single suppliers, which poses a range of risks to the security and resilience of UK telecoms networks.”
The Department asserted:
The Review recommended the establishment of a new security framework for the UK’s public telecoms providers, with its foundations set by new telecoms security requirements overseen by Ofcom and the government. It also recommended new national security powers for the government to control the presence of high risk vendors in UK networks.
Working in the background during this initiative was the pressure brought by the United States (U.S.) and the People’s Republic of China (PRC) over Huawei and 5G and the pending exit from the European Union (EU). The Trump Administration was making claims about the security of Huawei’s 5G technology and equipment, arguing it would serve to allow the PRC’s security services to spy in any nation that installed the PRC technology giant’s systems. At first, the UK tried to manage the risks its security services turned up in reviewing Huawei’s technology and sought a middle path where Huawei would have a significant role in 5G in the UK as it did for previous iterations of the nation’s wireless network.
However, this approach proved politically unfeasible when Conservative backbenchers indicated to Downing Street that they would amend a telecoms bill to ban Huawei. At this point, the Prime Minister changed tack and announced ban that would take effect by 2027 of any new Huawei technology in the UK’s 5G networks. Johnson’s government nearly lost a vote in March on a different telecoms bill, sending his leadership team a signal they appear to have received. The reason provided for the UK’s change was U.S. sanctions on Huawei that cut off its access to semiconductors that allegedly now made it impossible to use the company for the 5G rollout. In a fact sheet, it was claimed:
- on 14 July 2020 the Secretary of State for Digital, Culture, Media, and Sport (DCMS) announced in the House of Commons that UK telecoms providers should cease to procure any new 5G equipment from Huawei after 31 December 2020 and remove all Huawei equipment from 5G networks by the end of 2027.
- The government advised full fibre telecoms providers to transition away from purchasing Huawei full fibre equipment affected by the US sanctions. For full fibre networks, we have held a technical consultation with industry on the transition away from Huawei equipment, in order to better understand supply chain alternatives. The conclusions of the consultation will be announced in due course.
The Department for Digital, Culture, Media, and Sport (Department) explained in one fact sheet, “[t]he Telecommunications (Security) Bill is in two parts:
- Clauses 1 to 14 introduce a stronger telecoms security framework. The Bill amends the Communications Act 2003 by placing strengthened telecoms security duties on public telecoms providers. To support these duties, the Bill will enable more specific security requirements to be set out in secondary legislation, underpinned by codes of practice providing guidance on the security measures to be taken to meet those requirements. The Bill gives the telecoms regulator, the Office of Communications (Ofcom), powers to monitor and enforce industry compliance with the duties and specific security requirements. It places new obligations on public telecoms providers to share information with Ofcom that is necessary to assess the security of their networks, including reporting duties in the event of a security compromise. It also places new duties on Ofcom to promote security and resilience of public telecoms providers. In addition, the Bill introduces financial penalties for non-compliance with the new duties and requirements placed on public telecoms providers.
- Clauses 15 to 23 introduce new national security powers for the government to manage risks posed by high risk vendors. The Bill creates new powers for the Secretary of State to designate vendors for the purpose of issuing directions to public communications providers imposing controls on their use of those designated vendors’ goods, services and facilities. Designation and the giving of directions can only take place where the Secretary of State considers it is necessary in the interests of national security. The Bill makes it a duty for providers to comply with the requirements set out in the directions and creates financial penalties for non-compliance. It also includes provisions to ensure the monitoring and enforcement of those requirements, including new powers for the Secretary of State to give monitoring directions to Ofcom requiring Ofcom to obtain information relating to a provider’s compliance with requirements in a direction, and to provide such information in a report to the Secretary of State.
In a different fact sheet, the Department described how telecommunications providers would be regulated under the new security framework: “strengthened overarching security duties, specific security requirements, and codes of practice.” The Department provided detail on each piece:
The Bill introduces strengthened overarching security duties. These will require all telecoms providers to take appropriate and proportionate measures to identify and reduce the risks of security compromises occurring, as well as preparing for the occurrence of security compromises. Security compromises will include:
- anything that compromises the availability, performance or functionality of a network or service
- any unauthorised access to, interference with or exploitation of networks or services
- anything that compromises the confidentiality of signals or data
- anything that causes signals or data to be lost, unintentionally altered or altered without permission of the telecoms provider
- anything occurring in connection with a network or service that causes a compromise on another network or service that belongs to another telecoms provider
Telecoms providers will also be required to take appropriate and proportionate action after a security compromise has occurred, to limit damage and take steps to remedy or mitigate the damage.
The Telecommunications (Security) Bill also allows the government to make secondary legislation to detail specific security requirements that providers must meet. This will include targeted action to make sure telecoms providers securely design, construct and maintain network equipment that handles sensitive data; reduce supply chain risks; carefully control access to sensitive parts of the network; and make sure the right processes are in place to understand the risks facing their company’s public networks and services.
These requirements will be enforced by Ofcom and may be updated in the future where new threats arise or technologies evolve. The government will engage with telecoms providers on the technical detail of secondary legislation before it is finalised, during passage of the Bill. This engagement will help to inform an impact assessment, which will be published alongside the secondary legislation to assess costs and benefits to businesses.
Codes of practice
Finally, the Bill provides the government with the powers to issue codes of practice to provide guidance on how, and to what timescale, certain telecoms providers should comply with their legal obligations. For example, it will set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers’ data. Ofcom will take relevant codes into account when monitoring and enforcing the new security framework.
There are many different sized telecoms companies providing telecoms networks and services, and while their security and resilience is critical, it is important their differences are recognised. To ensure measures are applied proportionately, the government intends to define three tiers of telecoms provider in an initial code of practice, which will be finalised via public consultation:
- The code of practice will apply to the largest national-scale (‘Tier 1’) telecoms providers, whose availability and security is critical to people and businesses across the UK. These providers will also be subject to intensive Ofcom monitoring and oversight.
- The code of practice will also apply to medium-sized (‘Tier 2’) telecoms providers, who will be subject to some Ofcom oversight and monitoring. These providers are expected to have more time to implement the security measures set out in the code of practice.
- The smallest (‘Tier 3’) telecoms providers, including small businesses and micro enterprises, will need to comply with the law. It is not anticipated that the code of practice will be applied to Tier 3 providers, but these providers may be subject to some limited Ofcom oversight.
The Bill includes a requirement for the government to consult on any codes of practice. DCMS will issue a full public consultation on the approach to implementing the code of practice following Royal Assent, including the approach to tiering and implementation timetables.
Alongside acting as a tool to help regulatory compliance, the code of practice will serve as best practice security guidance to all UK telecoms providers (including private networks).
The Department explained the new penalty scheme:
- For contravention of a security duty (other than the duty to explain a failure to follow a code of practice) Ofcom may impose a penalty up to a maximum of ten percent of a provider’s ‘relevant turnover’ or (in the case of a continuing contravention) £100,000 per day.
- For contravention of an information requirement or refusal to explain a failure to follow a code of practice, Ofcom may impose a penalty up to a maximum of £10 million or (in the case of a continuing contravention) £50,000 per day.
The Department explained other part of the bill under which the Secretary of State would be empowered to address risk in the telecommunications system is discussed in a different fact sheet:
The Telecommunications (Security) Bill introduces new powers for the Secretary of State to manage the risks posed by high risk vendors. In the Bill, such vendors are referred to ‘designated vendors’.
The Bill creates powers for the Secretary of State to:
- issue directions, in the interests of national security, to public communications providers placing controls on their use of goods, services or facilities supplied, provided or made available by designated vendors (‘designated vendor directions’)
- designate specific vendors, in the interests of national security, for the purpose of issuing the designated vendor directions (‘designated vendors’)
The Bill makes it a duty for public communications providers to comply with any requirements set out in a direction and introduces financial penalties for non-compliance. The Secretary of State will be responsible for assessing and enforcing compliance with any direction requirements. Ofcom may be tasked by the Secretary of State with gathering information relevant to the Secretary of State’s assessment of a provider’s compliance with a direction. Ofcom will provide such information to the Secretary of State in the form of a report, the frequency of which can be specified by the Secretary of State.
The Secretary of State will also be responsible for assessing and enforcing compliance with the requirements in the Bill relating to non-disclosure. The Bill enables the Secretary of State to impose requirements not to disclose particular information (such as in relation to a designated vendor director or designation notice), where disclosure would be contrary to the interests of national security.
The Secretary of State will also be responsible for assessing and enforcing compliance with any requirements to provide information given under the information requirement power. These requirements can apply not just to telecoms providers but to anyone who appears to the Secretary of State to have information relevant to the exercise of the Secretary of State’s functions in relation to designation notices and designated vendor directions.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.