Telecoms businesses in the UK will have to follow new security rules or face a fine of 10 per cent of their turnover under a new law.
The new Telecommunications (Security) Bill, tabled in Parliament on Tuesday, aims to strengthen the security framework for technology used in 5G and full fibre networks and will also control the use of equipment and services supplied by high-risk vendors to telecom companies.
The bill has been tabled by the government to give itself more powers to secure the UK’s 5G and full fibre networks from high-risk vendors, particularly threat actors operating from or sponsored by Russia, China, North Korea, and Iran.
The new bill is also intended to strengthen the security framework for technology used in 5G and full fibre networks, including the electronic equipment and software at phone mast sites and in telephone exchanges which handle internet traffic and telephone calls.
Companies that fail to put adequate security measures in place will face fines of up to ten per cent of turnover or, in the case of a continuing contravention, £100,000 a day.
In a press release published earlier today, the government said the bill will provide it with “new national security powers to issue directions to public telecoms providers in order to manage the risk of high-risk vendors. While they are already banned from the most sensitive ‘core’ parts of the network, the Bill will allow the government to impose controls on telecoms providers’ use of goods, services or facilities supplied by high-risk vendors.”
“We are investing billions to roll out 5G and gigabit broadband across the country, but the benefits can only be realised if we have full confidence in the security and resilience of our networks. This groundbreaking bill will give the UK one of the toughest telecoms security regimes in the world and allow us to take the action necessary to protect our networks,” digital secretary Oliver Dowden said.
“To deliver the revolutionary economic and social benefits of 5G and gigabit-capable broadband connections, the government has decided to strengthen the overarching legal duties on providers of UK public telecoms networks and services as a way of incentivising better security practices.”
Given the government’s intent on overseeing the security of 5G and full fibre networks in the UK, telecom providers will no longer have the luxury of setting their own security standards in their networks. Noting that telecom operators have so far had little incentive to adopt the best security practices, the government said the imposition of overarching legal duties will incentivise better security practices.
The Telecommunications (Security) Bill will also allow the government to issue specific security requirements that telecom providers will need to follow, and will also give Ofcom stronger powers to monitor and assess operators’ security, alongside enforcing compliance with the new law. This will include carrying out technical testing, interviewing staff, and entering operators’ premises to view equipment and documents.
“The roll-out of 5G and gigabit broadband presents great opportunities for the UK, but as we benefit from these, we need to improve security in our national networks and operators need to know what is expected of them. We are committed to driving up standards and this bill imposes new telecoms security requirements, which will help operators make better risk management decisions,” said Dr Ian Levy, Technical Director at the NCSC.
The government believes the enactment of the Telecommunications (Security) Bill will, in the long run, prevent espionage attacks on networks which can happen because of poor security in equipment supplied to telecoms providers and will also prevent malicious actors from remotely disabling networks by exploiting insecure connections to other networks.
In essence, the new security bill will mandate telecom providers to:
- securely design, build and maintain sensitive equipment in the core of providers’ networks which controls how they are managed;
- reduce the risks that equipment supplied by third parties in the telecoms supply chain is unreliable or could be used to facilitate cyber attacks;
- carefully control who has permission to access sensitive core network equipment on site as well as the software that manages networks;
- make sure they are able to carry out security audits and put governance in place to understand the risks facing their public networks and services; and
- keep networks running for customers and free from interference, while ensuring confidential customer data is protected when it is sent between different parts of the network.
24th November 2020.