The British Parliament has advanced its bill to secure its current and future telecommunications networks.
The Johnson government is trying to get legislation through Parliament to secure the country’s 5G networks.
After a long lead up over the last few years, London is moving on telecommunications legislation that would limit and even remove “high risk vendors,” a term of art to describe questionable equipment, hardware, and software. In reality, this legislation aims to limit the use of Huawei and ZTE gear on British networks, especially its 5G networks.
The “Telecommunications (Security) Bill” would rewrite Sections 105A to 105D of the Communications Act 2003. British telecommunications providers will need to meet new duties to implement security measures, take measures to respond to security compromises, and inform users of risks of security compromise, Failures to meet these new duties would open such providers to the Office of Communication’s increased enforcement and civil liability. The Department for Digital, Culture, Media and Sport would also receive powers to enforce the new regime.
The United Kingdom’s (UK) bill advances in the House of Commons to drive better security in its telecommunications sector, especially for its 5G rollout. Concern about the People’s Republic of China’s (PRC) growing role in 5G has been driving this bill, and members of the ruling party have pushed Prime Minister Boris Johnson’s government to take more stringent action than it initially proposed. Action from the previous government in Washington also pushed London to take more drastic steps than it initially intended. The British government and its regulators crafted a phrase they apparently hope will incur less of the PRC’s wrath: “high-risk vendors.” Thus, the UK is looking to mitigate and lessen the impact and presence of such high-risk vendors on British telecommunications networks, almost all of which has been built and is maintained by private companies.
In late 2020, the Department for Digital, Culture, Media and Sport (DCMS) explained:
The Telecommunications (Security) Bill takes forward the government’s commitments within the Telecoms Supply Chain Review Report to establish an enhanced legislative framework for telecoms security, and to provide the government with the powers to take action on the use of high risk vendors on national security grounds.
DCMS released the first version of the “Telecommunications (Security) Bill” at the same time and also a number of factsheets to explain the legislation. In an overview factsheet, the government asserted the rationale for the legislation is:
Currently there is a lack of incentives for telecoms providers to apply security best practices where there are no clear commercial incentives for investment. Providers face tensions between commercial priorities and security concerns, particularly when these impact on investment decisions. As wider UK Critical National Infrastructure becomes more dependent on the UK’s telecoms networks with the roll-out of full-fibre and 5G, it is vital that security concerns are properly accounted for and addressed.
Note the lack of reference to the companies and nations that will supply the UK’s telecommunications providers the equipment, hardware, and software.
However, in debate in the House of Commons, the government made clear the PRC is indeed one of the nations driving this legislation. Secretary of State for Digital, Culture, Media, and Sport Oliver Dowden stated:
- This Bill acts on the recommendations of the United Kingdom telecoms supply chain review, which in turn was informed by the expert technical advice at the National Cyber Security Centre in GCHQ. First, it establishes a tough new security framework for all the UK’s public telecoms providers. This will be overseen by the Office of Communications (OFCOM or Ofcom) and the Government, and they will have a legal duty to design and manage their networks securely. Rigorous new security requirements will be set out in secondary legislation, and codes of practice will set technical guidance on how providers should meet the law, and where providers are found wanting, Ofcom will have the power to impose steep fines. For example, under the current regime fines for failing to protect security are limited to just £2 million or £20,000 per day, while under the new regime they will rise significantly, to up to 10% of turnover or £100,000 per day. Under the current regime Ofcom has limited monitoring and enforcement powers. Under the new regime it will have the power to enter premises of telecoms providers, to interview staff and to require technical systems tests.
- If we pass this Bill, few other countries in the world will have a tougher enforcement regime, and the point of this Bill is not just to tackle one high-risk vendor; it raises the security bar across the board and protects us against a whole range of threats. According to the NCSC, the past two years have seen malicious cyber-activity from Russia and China as well as North Korea and Iranian actors. While I know that telecoms providers are working hard to protect our networks against this hostile activity, the Government have lacked the power to ensure they do so. This Bill puts a robust security framework in place, guaranteeing the protection of our networks.
This month, the “Telecommunications (Security) Bill” advanced from committee to the floor of the House of Commons giving Members of Parliament a chance to debate and amend the bill. The legislation would amend the sections of “The Communications Act 2003” that gave OFCOM the power to regulate and enforce the requirement that “public telecommunications providers…take measures to protect the security and resilience of their networks and services.”
In the Explanatory Notes, the Parliament provided an overview of the bill:
- The Telecommunications (Security) Bill (“the Bill”) takes forward the Government’s commitment in the UK Telecoms Supply Chain Review Report1to introduce a new security framework for the UK telecoms sector to ensure that public telecommunications providers operate secure and resilient networks and services and manage their supply chains appropriately.
- The Bill amends the Communications Act 2003 by establishing a new telecommunications security framework, including new security duties on public telecommunications providers and new powers for the Secretary of State to make regulations and issue codes of practice. It includes provisions strengthening Ofcom’s regulatory powers, allowing them to enforce the new framework.
- The Bill also introduces new national security powers for the Government to impose, monitor and enforce controls on public communications providers’ use of designated vendors’ goods, services and facilities within UK telecommunications networks.
It was further explained:
- As outlined in the Future Telecoms Infrastructure Review (FTIR), the widespread deployment of 5G and full fibre networks is a primary Government objective. These networks will help to drive future economic growth, enabling a wide range of new products and services that require faster speeds and more processing power. 5G has the potential to connect a vast network of people, objects and communication systems, including those within critical sectors.
- The development of 5G and full fibre networks also creates new security challenges. The speed, scale and processing power of the UK’s future digital infrastructure will create new economic and social opportunities for greater connectivity, including across the UK Critical National Infrastructure (CNI) sectors that are likely to have a greater dependence on 5G infrastructure compared to that of legacy arrangements (2G/3G/4G). The technical characteristics of 5G networks increase their risk profile compared to previous generations of networks. 5G networks will run at much faster data speeds and will be based on software running on commodity hardware, rather than proprietary hardware. Over time, to achieve the full potential of 5G, some of the ‘core’ functions will move closer to the ‘edge’4 of the network. As this happens, it will be necessary to ensure security arrangements are able to protect both the edge and core of the network.
- The security of telecoms infrastructure needs to be considered within an international context. Certain state, state-sponsored and other actors have the intent and capability to carry out espionage, sabotage and destructive or disruptive cyber-attacks, including through access to the telecoms supply chain. Since 2017, the UK Government has, based on National Cyber Security Centre (NCSC) assessments, attributed a range of malicious cyber activity to Russia and China, as well as North Korean and Iranian actors.
British telecommunications providers would need to undertake a new duty “to take security measures.” These entities “must take such measures as are appropriate and proportionate for the purposes of—
- identifying the risks of security compromises occurring;
- reducing the risks of security compromises occurring; and
- preparing for the occurrence of security compromises.”
DCMS would get discretionary authority to issue regulations directing British telecommunications providers to “take specified measures or measures of a specified description.”
UK telecommunications companies would also have a new duty “to take measures in response to security compromises.” Specifically, such companies “must take such measures as are appropriate and proportionate for the purpose of preventing adverse effects (on the network or service or otherwise) arising from the security compromise.” Additionally, “[i]f the security compromise has an adverse effect on the network or service, the provider of the network or service must take such measures as are appropriate and proportionate for the purpose of remedying or mitigating that adverse effect.”
DCMS would also be given the authority to issue regulations “that, where a security compromise of a specified description occurs in relation to a public electronic communications network or a public electronic communications service, the provider of the network or service must take specified measures or measures of a specified description.”
DCMS may also issue codes of practice for the aforementioned duties that could help shield telecommunications companies from liability in the event they are sued. Courts must take into account adherence to the DCMS codes of practice, but not using a code of practice is not automatically considered evidence the company failed to meet its statutory duties. OFCOM must also take into account compliance with a code when considering enforcement actions. But if OFCOM has reason to suspect a telecommunications has failed to meet a code of practice it may direct a company to explain its failure.
In the event “where there is a significant risk of a security compromise,” British telcos “must take such steps as are reasonable and proportionate for the purpose of bringing the relevant information, expressed in clear and plain language, to the attention of persons who use the network or service and may be adversely affected by the security compromise.” OFCOM must also be informed. If there is a “serious threat” to the safety of the public, to public health, or to national security or other grounds, OFCOM must inform the DCMS. If there is a lesser level of risk, OFCOM may but does not need to tell DCMS as well as others, including the regulators in other nations, other companies, and users of the possibly compromised telecommunications network.
OFCOM is given the statutory duty to ensure telecommunications providers comply with the new security measures. OFCOM may assess how these entities are meeting their new duties that includes the performance of a range of actions to prove compliance. Additionally, OFCOM would have powers to direct companies to comply with a duty if urgency requires. Any telecommunications that receives such an order may challenge it in court.
In terms of other powers, OFCOM’s power to levy fines would be increased in some instances to £50,000-100,000 per day or a total of £10 million. OFCOM would be able to require covered entities to take “interim steps” if it has reasonable grounds to believe
- a security compromise has occurred as a result of the contravention;
- there is an imminent risk of a security compromise or (as the case may be) a further security compromise occurring as a result of the contravention;
Additionally, the DCMS would be empowered to issue “designated vendor directions” if the DCMS Secretary of State determines national security requires such an order and the direction in the order is proportional to the goal of the order. DCMS could then order OFCOM to monitor the telecommunications provider’s compliance with the directions. DCMS may also enforce the direction if the provider fails to heed the order, the government could levy a fine of £50,000-100,000 per day with a maximum of 10% of worldwide turnover.
DCMS may also issue urgent enforcement directions if the DCMS Minister determines
- there are reasonable grounds for believing that the person is contravening, or has contravened—
- a requirement imposed by a designated vendor direction; or
- a requirement not to disclose imposed under section 105Z25;
- there are reasonable grounds for suspecting that the case is an urgent case; and
- the urgency of the case makes it appropriate for the Secretary of State to take action under this section.
This section provides that “[a] case is an urgent case for the purposes of this section if the contravention has resulted in, or creates an immediate risk of—
- a serious threat to national security; or
- significant harm to the security of a public electronic communications network, a public electronic communications service or a facility that is an associated facility by reference to 40 such a network or service.”
Last year, the UK’s National Cyber Security Centre (NCSC), which is housed within the Government Communications Headquarters (GCHQ), issued a summary of its security analysis of the U.K.’s telecommunications sector. This document “summarises the NCSC’s technical recommendations for improving the security of the UK’s telecoms sector, alongside a description of our technical security analysis that we used to derive these recommendations.” In a blog posting, NCSC Technical Director Dr. Ian Levy explained that “[d]ue to security and market sensitivities, it’s not possible to publish the full analysis and response, but we do want to explain the work behind our cyber security advice to ministers.”
NCSC has long been grappling with the security issues posed by Huawei. During his February 2019 CyberSec speech in Brussels, then NCSC CEO Ciaran Martin spoke on the rollout of 5G and continued cooperation with European partners aside and apart from Brexit. Regarding Huawei, Martin stated that “Huawei’s presence is subject to detailed, formal oversight, led by the NCSC.” He said that “[b]ecause of our 15 years of dealings with the company and ten years of a formally agreed mitigation strategy which involves detailed provision of information, we have a wealth of understanding of the company.” Martin explained that “[w]e also have strict controls for how Huawei is deployed…[i]t is not in any sensitive networks – including those of the government…[and] [i]ts kit is part of a balanced supply chain with other suppliers.”
In 2019, Huawei responded to a British Parliament committee and explained that it would spend $2 billion over five years in large part to remediate the shortcomings turned up by a British government oversight board. Huawei stated that this funding will “help ensure that our products are better prepared for a more complex security environment both now and in the future.” In January 2019, the Chair of the House of Commons Science and Technology Committee wrote Huawei with his concerns about the United Kingdom’s communications infrastructure in light of three Five Eyes nations’ actions to reduce the roles of Chinese firms in their systems and China’s recently enacted National Intelligence Law. In its annual report in July 2018, the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board found that “[d]ue to areas of concern exposed through the proper functioning of the mitigation strategy and associated oversight mechanisms, the Oversight Board can provide only limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated.”
In April, HCSEC released its fifth annual report and found that Huawei has failed to address the issues turned up in the 2018 report. Notably, in its 2018 report, the Board stated “[d]ue to areas of concern exposed through the proper functioning of the mitigation strategy and associated oversight mechanisms, the Oversight Board can provide only limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated.” In this year’s report, the Board stated that “[n]o material progress has been made on the issues raised in the previous 2018 report.”
In mid-2020, the UK cited two policy changes in the United States (U.S.) as the reason to further minimize its use of Huawei equipment and systems. It was announced that the GCHQ’s NCSC would conduct a new security review of Huawei in light of the tightened restrictions announced in Washington that will likely cut off the flow of U.S. semiconductors to Huawei. A spokesperson for the British government stated “[f]ollowing the U.S. announcement of additional sanctions against Huawei, the NCSC is looking carefully at any impact they could have to the UK’s networks.”
In concert with this announcement, a number of Conservative Ministers of Parliament announced their intentions to oppose Prime Minister Boris Johnson’s plan to push legislation through parliament limiting Huawei equipment and systems to 35%. The Conservative MPs are of the mind, reportedly, that risk cannot be minimized if there any Huawei equipment on the UK’s 5G or telecommunications networks. There appeared to be a sufficient number of MPs to block Johnson’s plan, and so his government changed tack and is looking to phase out current Huawei 3G and 4G equipment by the end of 2023, which would cost more than £7-8 billion. In March 2020, Johnson came within 13 votes of losing on an amendment barring Huawei equipment to a telecommunications bill.
Moreover, it has been reported that a number of Conservatives are angry with Beijing for passing a new security law for Hong Kong, a former British colony, which has pushed UK-PRC relations lower than they were in January when Johnson announced his plan.
DCMS Secretary Oliver Dowden made a “statement on telecoms” in the House of Commons, explaining the government’s change in plans regarding Huawei in particular. Dowden stated:
- In January, we set out to this House our conclusions on how we would define and restrict high risk vendors, keeping them outside the network’s core and away from critical infrastructure and sites.
- We have been clear-eyed from the start that the Chinese-owned vendors Huawei and ZTE were deemed to be high risk.
- And we made clear that the National Cyber Security Centre (NCSC) would review and update its advice as necessary.
He declared that “[s]ince January the situation has changed.” He added that “[o]n the 15th of May the US Department of Commerce announced that new sanctions had been imposed against Huawei through changes to the foreign direct product rules…a significant, material change – and one that we have to take into consideration.”
- This morning, the Prime Minister chaired a meeting of the National Security Council. Attendees at that meeting took full account of the NCSC’s advice, together with the implications for UK industry and wider geostrategic considerations.
- The government agrees with the NCSC’s advice: the best way to secure our networks is for operators to stop using new affected Huawei equipment to build the UK’s future 5G networks.
- So to be clear, from the end of this year, telecoms operators must not buy any 5G equipment from Huawei. And once the Telecoms Security Bill is passed it will be illegal for them to do so.
In a blog post and a summary, the NCSC explained in much more detail its analysis of the risks of using Huawei’s equipment, which derive mostly from the implications of US action and less from inherent risks.
NCSC Technical Director Dr Ian Levy explained “[i]n May, the US changed a subtle and detailed export control rule called the ‘Foreign-Produced Direct Product Rule’ (FDPR).” He added that “[t]he amended rule says that no-one, anywhere in the world, can send Huawei-designed chips to Huawei if US technology was used in the design tools or manufacture processes…[and] [t]his doesn’t just mean that Huawei can’t use design tools that contain US technology…[i]t also means:
- no-one else can take a Huawei design and turn it into chip manufacture instructions (usually something called a GDS2) using tools that contain US technology
- even if you’ve already got the GDS2 for a Huawei chip, you can’t actually turn it into a chip if your foundry process uses US technology (and for modern process nodes, US technology is pretty pervasive) or if the GDS2 was produced using US technology
The FDPR change wasn’t in effect in January. It is now, and that’s a material change to the facts on the ground that has led us to revisit our analysis. The NCSC now believes that there are only three things that can happen to help Huawei in response to this action. In our recent consultations with them, Huawei haven’t disagreed with this analysis. Those options are:
- Someone breaks US law and continue to manufacture. This is pretty unlikely. Huawei have always publicly said that they’ll follow applicable law, but the impact on any design house or foundry that went this way would be huge. Also – given there’d be a reasonable expectation that the chips broke US law – any organisation buying the equipment would be taking a significant risk.
- Huawei switch chips in equipment designs to ones that aren’t Huawei-designed, but perform the same sort of function. This is a big task. Assuming you can find someone to design a chip that’s near enough to the original, the integration into the wider product is a very complex job. This can’t be a direct replacement for a Huawei-designed chip, because then at least some of the design will be Huawei’s, and so likely caught by the rule. This is a really complex engineering task. And given Huawei’s continued lack of security or engineering quality as described in the Oversight Board reports, this is highly likely to introduce security and reliability problems into the equipment for the next few years at least.
- Someone makes new design tools and manufacturing processes for chips that don’t use any US technology and so can provide Huawei what they need. Good luck doing that quickly. You need to invent some new ways of doing really complex things (extreme UV lithography, multi-patterning etc.) while being bound by the laws of physics. The precise mechanisms the foundry uses to make these tiny transistors dictate the design rules your EDA tools have to enforce. As a cartoon example, if the foundry process produces some fuzziness around the edges of transistors, your design tool will need to leave more space between them, or the performance of the chip could be affected. The performance and capability of your EDA tools dictate what the foundry can build reliably. If your EDA tools can’t do lots of Maxwell’s equation solving, you’ll need to route wires differently round the chip and simplify your design. You don’t need to understand how a FinFET works or what a hi-K dielectric is to know that’s a ton of work that’s likely to fail a few times.
Levy explained “[t]oday, we are publishing guidance, supported by government, as to what this all means for the future telecoms network builds and to help operators understand the impacts of this decision…[and] [t]he guidance says that:
- existing Huawei equipment in the UK can continue to be used, subject to the HRV policy and our mitigation strategy
- operators need to procure enough spares to maintain the equipment for the expected lifetime
- operators should seek to cease procuring and deploying Huawei 5G access equipment, all transport equipment, and other miscellany to manage the long-term risks of the newly designed products (practically, procurements are likely to cease by the end of 2020)
- operators should seek to cease procuring and deploying Huawei FTTP (Fibre to the Premises) access equipment. It may take a bit longer for rollouts to cease in this case, so the Department for Digital, Culture, Media & Sport (DCMS) are going to work with industry to establish a manageable timeframe
In mid-May 2020, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) “announced plans to protect U.S. national security by restricting Huawei’s ability to use U.S. technology and software to design and manufacture its semiconductors abroad” per the agency’s press release. BIS released an interim final rule that takes effect as of 15 May, but the agency is accepting comments through 14 July, meaning there will be a final rule issued at some point in the future once the comments have been analyzed and addressed. Nevertheless, Commerce claimed the BIS interim final rule “cuts off Huawei’s efforts to undermine U.S. export controls.”
- BIS is amending its longstanding foreign-produced direct product rule and the Entity List to narrowly and strategically target Huawei’s acquisition of semiconductors that are the direct product of certain U.S. software and technology.
- Since 2019 when BIS added Huawei Technologies and 114 of its overseas-related affiliates to the Entity List, companies wishing to export U.S. items were required to obtain a license. However, Huawei has continued to use U.S. software and technology to design semiconductors, undermining the national security and foreign policy purposes of the Entity List by commissioning their production in overseas foundries using U.S. equipment.
- Specifically, this targeted rule change will make the following foreign-produced items subject to the Export Administration Regulations (EAR):
- Items, such as semiconductor designs, when produced by Huawei and its affiliates on the Entity List (e.g., HiSilicon), that are the direct product of certain U.S. Commerce Control List (CCL) software and technology; and
- Items, such as chipsets, when produced from the design specifications of Huawei or an affiliate on the Entity List (e.g., HiSilicon), that are the direct product of certain CCL semiconductor manufacturing equipment located outside the United States. Such foreign-produced items will only require a license when there is knowledge that they are destined for reexport, export from abroad, or transfer (in-country) to Huawei or any of its affiliates on the Entity List.
Commerce added that “[t]o prevent immediate adverse economic impacts on foreign foundries utilizing U.S. semiconductor manufacturing equipment that have initiated any production step for items based on Huawei design specifications as of May 15, 2020, such foreign-produced items are not subject to these new licensing requirements so long as they are reexported, exported from abroad, or transferred (in-country) by 120 days from the effective date.”
The PRC’s Commerce Ministry posted a statement, arguing “[t]he U.S. uses state power, under the so-called excuse of national security, and abuses export control measures to continuously oppress and contain specific enterprises of other countries.” The Ministry vowed the PRC will “take all necessary measures to resolutely safeguard the legitimate rights and interests of Chinese enterprises.”
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.
Photo by Lachlan Gowen on Unsplash