Bill “aims to give the government unprecedented new powers to boost the security standards of the UK’s telecoms networks and remove the threat of high risk vendors”.
The Telecommunications (Security) Bill has received its first reading in the House of Commons. Its key points are:
The Bill aims to strengthen the security framework for technology used in 5G and full fibre networks including the electronic equipment and software at phone mast sites and in telephone exchanges which handle internet traffic and telephone calls.
The government says that this will be a significant step to protect the UK from hostile cyber activity by state actors or criminals. Over the past two years it has attributed a range of cyber attacks to Russia and China, as well as actors in North Korea and Iran. In July, following advice from the National Cyber Security Centre, the government announced new controls on the use of Huawei 5G equipment - including a ban on the purchase of new Huawei equipment from the end of 2020 and a commitment to remove all Huawei equipment from 5G networks by 2027.
The Bill will also provide the government with new national security powers to issue directions to public telecoms providers to manage the risk of high risk vendors. Although they are already banned from the most sensitive ‘core’ parts of the network, the Bill will allow the government to impose controls on telecoms providers’ use of goods, services or facilities supplied by high risk vendors.
Currently, telecoms providers are responsible by law for setting their own security standards in their networks. However, the Telecoms Supply Chain Review concluded in 2019 found that providers often have little incentive to adopt the best security practices. Consequently, the government has decided to strengthen the overarching legal duties on providers of UK public telecoms networks and services as a way of providing incentives for better security practices. These duties will be set out in the Bill and will mean telecoms providers will need to take appropriate action to bring in minimum security standards for their networks and services and to limit the damage of any breaches.
The security requirements will be set out in secondary legislation (which will be consulted on) but are likely to involve companies acting to:
Ofcom will be given stronger powers to monitor and assess operators’ security, alongside enforcing compliance with the new law. This will include carrying out technical testing, interviewing staff, and entering operators’ premises to view equipment and documents. Ofcom will also be given a new power to direct telecoms providers to take interim steps to address security gaps during the enforcement process. Companies which fall short of the new duties or do not follow directions on the use of high risk vendors could face heavy fines of up to ten per cent of turnover or, in the case of a continuing contravention, £100,000 per day.
After the Bill has received Royal Assent, codes of practice will be published to provide guidance on how certain providers should comply with their legal obligations and will be taken into account by Ofcom.