UK Telecommunications Security Bill Would Ban HuaweiGovernment Set to Enforce Minimum Security Standards for Telecommunications Networks
Draft legislation introduced by the British government would create minimum, enforceable security standards for the nation's telecommunications providers, backed by penalties, including for any company that opted to use equipment from high-risk manufacturers such as China's Huawei.
On Tuesday, Prime Minister Boris Johnson's administration introduced the Telecommunications Security Bill.
The draft legislation requires telecommunications providers to follow specific, minimum security requirements for their networks and services - due to be detailed in the future via secondary legislation - which the government says will help "limit the damage of any breaches." Those requirements could also restrict the use of any equipment manufactured by whomever the government designates at any point in the future as being a high-risk vendor.
Businesses that fail to meet the security standards would face fines of up to 100,000 pounds ($134,000), and organizations that continue to fail to comply would face fines of up to 10% of their annual revenue.
Currently, telecommunications providers set their own security standards. But a review conducted last year by the government's Department for Digital, Culture, Media & Sport concluded that "there can be tensions between commercial priorities and security concerns, particularly when these impact on costs and investment decisions." The DCMS review called for "a strong policy response," including new legislation, to set minimum security standards for telecommunications providers, to be legally enforceable by telecoms watchdog Ofcom.
"We are investing billions to roll out 5G and gigabit broadband across the country, but the benefits can only be realized if we have full confidence in the security and resilience of our networks," says Secretary of State for Digital, Culture, Media & Sport Oliver Dowden. "This groundbreaking bill will give the U.K. one of the toughest telecoms security regimes in the world and allow us to take the action necessary to protect our networks."
Seeking Better Cybersecurity Defenses
Officials say the legislation is designed to make the nation's telecommunications networks tougher to crash or hack.
The new rules are also meant to help guard against campaigns such as Cloud Hopper. The 2018 Cloud Hopper attacks, attributed to Chinese APT group APT 10, hit managed service providers to steal aerospace, defense, telecommunications and other secrets from organizations in Britain and beyond. Officials in Britain and the U.S. say APT 10 has worked closely with China's Ministry of State Security.
Regulation by Ofcom
The Telecommunications Security Bill gives Ofcom the ability to not only enforce the rules, but also to conduct technical testing; access operators' premises to view equipment, operations and policies; and interview staff.
"The rollout of 5G and gigabit broadband presents great opportunities for the U.K. but, as we benefit from these, we need to improve security in our national networks, and operators need to know what is expected of them," says Ian Levy, technical director at Britain's National Cyber Security Center, which is the public-facing arm of intelligence agency GCHQ.
"We are committed to driving up standards, and this bill imposes new telecoms security requirements, which will help operators make better risk management decisions," he says.
U-Turns Over Huawei
The introduction of the new legislation in the U.K. follows a number of telecommunications security U-turns by Johnson over the so-called "Huawei question." It concerns whether Chinese networking equipment manufacturers can be trusted, or if their technology might be subverted by the Chinese government to spy via other nations' infrastructure. Of particular concern is China's National Intelligence Law of 2017, which the nation could use to order a company to act in a manner that might harm other nations. Intelligence experts have also warned that China could instruct domestic suppliers to halt software or hardware updates or replacements to foreign telecommunications firms, for example, as part of a trade dispute.
But in January, Johnson's government announced that, after a review by the NCSC's Huawei Cyber Security Evaluation Center, equipment from high-risk vendors would be excluded from "core" parts of the nation's telecommunications infrastructure and only allowed to comprise up to 35% of each provider's entire network. Since 2010, the NCSC has been closely studying equipment built by Huawei, reporting problems back to the manufacturer and making recommendations to British policymakers (see: UK Approves 'Limited' Role for Huawei in 5G Networks).
The move also came in the face of Britain's two largest telecommunications firms - BT and Vodafone - lobbying Johnson to not fully ban Huawei hardware from the nation's 5G rollout. Vodafone CEO Nick Read warned that doing so would lead to a costly, two-year delay in Europe's 5G implementation and disrupt customers.
But after the U.S. unveiled steeper sanctions against Huawei in July, citing national security concerns, the government announced that all equipment from high-risk vendors, including Huawei, would have to be removed from U.K. 5G networks by the end of 2027 (see: UK Reverses Course, Bans Huawei Gear From 5G Networks).
Expanded National Security Powers
The new Telecommunications Security Bill would give the government the power to enforce that decision. It would also give the government new national security powers to designate other manufacturers as being high-risk vendors and to restrict how telecommunications providers use any such vendors' goods, services or facilities.
Huawei has derided the British government's decision to block its equipment from the country's 5G networks, as now enshrined in the draft legislation.
"This decision is politically motivated and not based on a fair evaluation of the risks," says Huawei Vice President Victor Zhang. "It does not serve anyone's best interests as it would move Britain into the digital slow lane and put at risk the government's leveling-up agenda."
The government says it will work with industry representatives to determine the minimum security standards it plans to enforce. But it says the final rules will likely set requirements for:
- Security by design: "Securely design, build and maintain sensitive equipment in the core of providers' networks, which controls how they are managed."
- Supply chain risk management: "Reduce the risks that equipment supplied by third parties in the telecoms supply chain is unreliable or could be used to facilitate cyberattacks."
- Access control: "Carefully control who has permission to access sensitive core network equipment on-site as well as the software that manages networks."
- Auditability and accountability: "Make sure they are able to carry out security audits and put governance in place to understand the risks facing their public networks and services."
- Availability: "Keep networks running for customers and free from interference, while ensuring confidential customer data is protected when it is sent between different parts of the network."
Forthcoming: 5G Diversification Strategy
Last year's DCMS study also concluded that, from a national security standpoint, Britain relies on too few suppliers for its 5G gear.
Due to years of underinvestment in alternative technologies and domestic manufacturing capabilities, many Western governments - including Britain - have found themselves with no access to trusted options that are as advanced or inexpensive as what Chinese manufacturers can offer. Belatedly, however, the U.S., U.K. and EU have been moving to bolster their domestic offerings (see: Britain's 5G Policy Failure: No Ideal Alternative to Huawei).
DCMS says it will soon publish a "5G diversification strategy" that will "outline new measures to boost competition and innovation in the telecoms supply chain and reduce dependence on individual suppliers."