The government today tabled the new Telecommunications (Security) Bill in Parliament that will strengthen the security framework for technology used in 5G and full fibre networks and will also control the use of equipment and services supplied by high-risk vendors to telecom companies.
The new Telecommunications (Security) Bill has been tabled by the government to give itself more powers to secure the UK's 5G and full fibre networks from hostile actors, particularly threat actors operating from or sponsored by Russia, China, North Korea, and Iran.
The new bill will govern technology and equipment used in 5G and full fiber networks including the electronic equipment and software at phone mast sites and in telephone exchanges which handle internet traffic and telephone calls.
In a press release published earlier today, the government said the bill will provide it with "new national security powers to issue directions to public telecoms providers in order to manage the risk of high-risk vendors. While they are already banned from the most sensitive ‘core’ parts of the network, the Bill will allow the Government to impose controls on telecoms providers’ use of goods, services or facilities supplied by high-risk vendors."
Effectively, the government will use the bill to direct and force telecom operators to immediately stop using technology and equipment supplied by high-risk vendors, failing which the operators will be fined either up to ten percent of turnover or, in the case of a continuing contravention, £100,000 per day.
“We are investing billions to roll out 5G and gigabit broadband across the country, but the benefits can only be realised if we have full confidence in the security and resilience of our networks. This groundbreaking bill will give the UK one of the toughest telecoms security regimes in the world and allow us to take the action necessary to protect our networks,” said Digital Secretary Oliver Dowden.
Given the government's intent on overseeing the security of 5G and full fiber networks in the UK, telecom providers will no longer have the luxury of setting their own security standards in their networks. Noting that telecom operators have so far had little incentive to adopt the best security practices, the government said the imposition of overarching legal duties will incentivise better security practices.
The Telecommunications (Security) Bill will also allow the government to issue specific security requirements that telecom providers will need to follow, and will also give Ofcom stronger powers to monitor and assess operators’ security, alongside enforcing compliance with the new law. This will include carrying out technical testing, interviewing staff, and entering operators’ premises to view equipment and documents.
“The roll-out of 5G and gigabit broadband presents great opportunities for the UK, but as we benefit from these we need to improve security in our national networks and operators need to know what is expected of them. We are committed to driving up standards and this bill imposes new telecoms security requirements, which will help operators make better risk management decisions,” said Dr Ian Levy, Technical Director at the NCSC.
The government believes the enactment of the Telecommunications (Security) Bill will, in the long run, prevent espionage attacks on networks which happen because of the poor security of the companies that provide equipment support to telecoms providers and will also prevent malicious actors from remotely disabling networks by exploiting insecure connections to other networks.
In essence, the new security bill will mandate telecom providers to:
- securely design, build and maintain sensitive equipment in the core of providers’ networks which controls how they are managed;
- reduce the risks that equipment supplied by third parties in the telecoms supply chain is unreliable or could be used to facilitate cyber attacks;
- carefully control who has permission to access sensitive core network equipment on site as well as the software that manages networks;
- make sure they are able to carry out security audits and put governance in place to understand the risks facing their public networks and services; and
- keep networks running for customers and free from interference, while ensuring confidential customer data is protected when it is sent between different parts of the network.