The UK Government proposes new law to enforce stronger security requirements in the telecoms sector; meanwhile, Government and Ofcom ‘will work closely and co-operatively with all UK telecoms operators’. That arises from the published Telecoms Supply Chain Review.
As the document sets out, concerns about the security and resilience of the UK’s telecoms networks ‘are largely related to: (a) inadequate industry practices overall, driven by a lack of incentives to manage security risks to an appropriate level; and (b) the risk of national dependency on a small number of viable suppliers’ – namely ‘Huawei (the UK market leader), Ericsson and Nokia’.
Digital Secretary Jeremy Wright said: “The UK telecoms sector must prioritise secure and safe networks for consumers and business. With the growth of our digital sector and transformative new services over 5G and full fibre broadband in the coming years, this is not something to compromise on. People expect the telecoms sector to be a beacon of safety and this review will make sure that safety and security is at the forefront of future networks.”
The Government says that it will establish a new, robust security framework for the UK telecoms sector. Ciaran Martin, National Cyber Security Centre (NCSC) CEO, said: “As the UK’s lead technical authority, we have worked closely with DCMS [Department for Digital, Culture, Media and Sport] on this review, providing comprehensive analysis and cyber security advice. These new measures represent a tougher security regime for our telecoms infrastructure, and will lead to higher standards, much greater resilience and incentives for the sector to take cyber security seriously. This is a significant overhaul of how we do telecoms security, helping to keep the UK the safest place to live and work online by ensuring that cyber security is embedded into future networks from inception.”
According to the review, managing security and resilience risks for UK telecoms is shared between the Government, the telecoms regulator Ofcom and industry. Telecoms operators are responsible for assessing risks and taking measures to ensure the security and resilience of networks. But, due to cost, ‘there can be tensions between commercial priorities and security concerns’. As the report points out, good commercial outcomes can result in poor cyber security.
Countries are varying approaches to 5G security, the report notes. As for the risks posed by vendors, the report suggested a ‘three lines of defence’ approach: procurement and contract management; assurance testing for equipment, systems and software; and ‘additional controls on the presence of certain types of [unnamed] vendors which pose significantly greater security and resilience risks to UK telecoms’. While the report did note the US moves against Huawei as a Chinese company, the report said that the UK Government ‘is not yet in a position to make a final decision on individual high risk vendors and the additional controls that will be applied to them’.
Comments
Tim Dunton, MD, Nimbus Hosting, described the proposed standards as the very minimum that should apply. He said: “The UK’s telecommunications industry is the backbone of the wider digital economy and these proposals for more rigorous security standards are long overdue. With millions of businesses implementing digital transformation initiatives, through cloud adoption and increased connectivity, it’s vital that all supporting telco infrastructure is properly protected from outsider threats.”
Dmitry Kurbatov, CTO of telecoms security company Positive Technologies, said: “Despite the controversy which continues to bombard the headlines, banning a telecoms vendor as major as Huawei in the launch of 5G would result in additional cost. Huawei is already embedded so much in the 5g ecosystem, mainly because many mobile network operators have already purchased or ordered Huawei equipment.”
On lack of diversity in the supply chain, Kurbatov said this can’t be solved with a solution as idealistically simple as swapping it for an alternative vendor. “There is also the additional cost of delaying deployments, as companies had already tested 5G equipment, chosen Huawei, and were ready to buy. If Huawei is taken away as an option, this whole process – including testing – would have to be started all over again. Unfortunately, the potential cost of security vulnerabilities in the 5G network is almost impossible to estimate. What we can say for sure is that the more we rely on networks – for example for critical infrastructure, smart cities, the internet of things, autonomous cars – the bigger the risk we will observe in case of outages.”
