The Telecommunications (Security) Bill as set out in Parliament will place legal duties on providers of UK public telecoms networks and services in terms of security.
Digital Secretary Oliver Dowden said: “We are investing billions to roll out 5G and gigabit broadband across the country, but the benefits can only be realised if we have full confidence in the security and resilience of our networks.
“This groundbreaking bill will give the UK one of the toughest telecoms security regimes in the world and allow us to take the action necessary to protect our networks.”
Once the Bill becomes law, UK Government would be able to issue specific security requirements that telecoms companies will need to follow. These will be set out in secondary legislation. The telecoms watchdog Ofcom will be given powers to monitor and assess operators’ security, alongside enforcing compliance. This will include carrying out technical testing, interviewing staff, and entering operators’ premises. New codes of practice will be published to detail how telcos can comply. The Department for Digital, Culture, Media & Sport (DCMS) Secretary of State will have powers to enforce compliance with designated vendor directions, including through fines.
Among the likely legal requirements – that a firm securely design, build and maintain sensitive equipment in networks; reduce the risks that equipment supplied by third parties in the telecoms supply chain is unreliable or could be used to make cyber attacks; control who has permission to access sensitive core network equipment on site, besides the software; security audits and governance to understand the risks facing public networks and services; and keep networks running for customers and free from interference, while ensuring confidential customer data is protected when it is sent over the network.
At the UK official National Cyber Security Centre (NCSC) Technical Director Dr Ian Levy said: “The roll-out of 5G and gigabit broadband presents great opportunities for the UK, but as we benefit from these we need to improve security in our national networks and operators need to know what is expected of them.
“We are committed to driving up standards and this bill imposes new telecoms security requirements, which will help operators make better risk management decisions.”
Comment
Jimmy Jones of cyber vulnerability assessment company Positive Technologies says: “While this legislation crystalises the penalties and locks the government’s advice in a legal framework, if it is aimed at Huawei then I think the damage had already been done. The uncertainty has meant mobile operators have already had to plan for the foreseeable future without Huawei and this just makes any reentry to the market even less likely for the company. What is really interesting here, is the law is establishing the operator’s security responsibility beyond the exclusion of certain vendors, to network security as a whole.
“Governments and agencies around the globe have recognised the stakes are even higher for 5G, which promises to connect exponentially more devices and be the core infrastructure for connected cities. This makes the consequences of security vulnerabilities more dangerous than simply having your internet or phone service go down. It is now an issue of critical national infrastructure, which is why the guidance released by the EU, and more recently the US, and now the UK government are taking this major step in legally enforcing security standards.
“However, 100 per cent 5G networks will not suddenly appear. All of those millions of legacy devices and the older networks around the world cannot just be switched off in one day. They will co-exist for many years to come. The telecoms industry also needs to address the inherited security flaws across previous generation networks. We have witnessed firsthand the security threats that stem from network vulnerabilities, that threaten both telecoms operators and their subscribers. These include the potential for denial of service attacks, fraud, call interception and tracking user locations. Our recent research showed 100pc of 4G networks are susceptible to Denial of Service attacks and with 5G heavily integrated to previous generations for the foreseeable future, it is not immune.
“The new fines announced today for operators that are not meeting standards are another major financial incentive to get security in order. The security obligations – which include rules on who has access to sensitive parts of the “core” network, how security audits were conducted, and protecting customer data – will force operators to improve their security protection for the whole network rather than just 5G.”
