Insights Government publishes new Telecommunications (Security) Bill introducing tougher security rules for telecoms companies

Contact

To read our more in-depth analysis of the Bill, please click here.

The Government says that the new Bill aims to give the Government “unprecedented new powers to boost the security standards of the UK’s telecoms networks and remove the threat of high risk vendors”.

The Government says that the Bill will strengthen the security framework for technology used in 5G and full fibre networks, including the electronic equipment and software at phone mast sites and in telephone exchanges, which handle internet traffic and telephone calls. This is, the Government says, a “significant step to protect the UK from hostile cyber activity by state actors or criminals”. Over the past two years the Government has attributed a range of cyber attacks to Russia and China, as well as North Korea and Iranian actors.

The Bill will also provide the Government with new national security powers to issue directions to public telecoms providers in order to manage the risk of high risk vendors. While they are already banned from the most sensitive “core” parts of the network, the Bill will allow the Government to impose controls on telecoms providers’ use of goods, services or facilities supplied by high risk vendors. Companies that fall short of the new duties or do not follow directions on the use of high risk vendors could face heavy fines of up to 10% of turnover or, in the case of a continuing contravention, £100,000 per day. Ofcom will be given the duty of monitoring and assessing the security of telecoms providers.

In July, following advice from the National Cyber Security Centre (NCSC), the Government announced new controls on the use of Huawei 5G equipment, including a ban on the purchase of new Huawei equipment from the end of this year and a commitment to remove all Huawei equipment from 5G networks by 2027. The Bill creates the powers that will allow the Government to enshrine those decisions in law and manage risks from other high risk vendors in the future.

Currently, telecoms providers are responsible by law for setting their own security standards in their networks. However, the Telecoms Supply Chain Review concluded by the Government last year found that providers often have little incentive to adopt the best security practices. Accordingly, the Government has decided to strengthen the overarching legal duties on providers of UK public telecoms networks and services as a way of incentivising better security practices.

These duties will be set out in the Bill and will mean telecoms providers will need to take appropriate action to bring in minimum security standards for their networks and services and to limit the damage of any breaches.

The Bill will allow the government to issue specific security requirements that providers will need to follow to meet these duties. These requirements will be set out in secondary legislation, but are likely to involve companies acting to:

  • securely design, build and maintain sensitive equipment in the core of providers’ networks which controls how they are managed;
  • reduce the risks that equipment supplied by third parties in the telecoms supply chain is unreliable or could be used to facilitate cyber attacks;
  • carefully control who has permission to access sensitive core network equipment on site as well as the software that manages networks;
  • make sure they are able to carry out security audits and put governance in place to understand the risks facing their public networks and services; and
  • keep networks running for customers and free from interference, while ensuring confidential customer data is protected when it is sent between different parts of the network.

New Codes of Practice will demonstrate how certain providers should comply with their legal obligations. These will be published once the Bill has received Royal Assent.

Ofcom will be given stronger powers to monitor and assess operators’ security, alongside enforcing compliance with the new law. This will include carrying out technical testing, interviewing staff, and entering operators’ premises to view equipment and documents. To read the Government’s press release in full, click here. To access the Bill, click here. To access the Government’s Factsheets on the Bill, click here. To access Impact Assessments on the Bill, click here.