UK Telecoms (Security) Bill: Stronger cyber security controls for the UK telecoms sector with a sting in their tail

Today the UK government introduced the Telecommunications (Security) Bill (the “Bill”) to Parliament, to more heavily regulate the UK telecoms sector and improve cyber security risk management, policy and enforcement.

With significant sanctions for non-compliance, this “ground breaking” Bill is expected to provide the UK with “one of the toughest telecoms security regimes in the world”, according to Digital Secretary Oliver Dowden.

The Bill aims to give the government unprecedented powers to elevate the security standards of the UK’s telecoms network and, in particular, sets out:

• new legal duties on telecoms firms to increase the security of the entire UK network
• new powers for the UK Government to remove high risk vendors
• new responsibilities for Ofcom to monitor telecom operators’ security
• fines of up to 10 per cent of turnover or £100,000 a day for failing to meet standards

We are currently analysing the detail of the Bill and its likely impact, and a further briefing will follow. We highlight some of the key initial takeaways for telecoms operators and equipment and software vendors below.

Backdrop of close regulatory scrutiny

The Bill follows a period of close scrutiny of the UK telecoms sector, particularly on the grounds of cyber security and national security. In July 2019 the government published the Telecoms Supply Chain Review setting out its plans to more heavily regulate the UK telecoms sector. In particular, the Review set out concerns about the security and resilience of the UK’s telecoms networks, as being “largely related to: (a) inadequate industry practices overall, driven by a lack of incentives to manage security risks to an appropriate level; and (b) the risk of national dependency on a small number of viable suppliers.” For further information refer to our previous blog post here.

The Review recommended a new robust security framework for the UK telecoms sector requiring operators to better manage security risks, which the new Bill now seeks to address. The Bill, if it is passed, will sit alongside the Network and Information Systems Regulations 2018 (“NIS Regulations”) which seek to raise level of the overall security and resilience of network and information across the European Union by implementing the Network Information Services Directive (2016/1148/EU) (“NIS Directive”). However, the Bill goes further than the NIS Regulations, which require operators beyond a certain threshold to meet a minimum standard of security and to report any interruption to essential services to the national competent authority, and would increase the onus on telecoms firms to increase the security of the entire UK network and allow the Government to remove high risk vendors. In addition, proposed fines in the Bill could be higher than fines under the NIS Regulations. The maximum fine under the NIS Regulation is £17 million.

The government is also expected to publish its 5G Diversification Strategy in due course to address the competition challenges posed by over reliance on too few vendors in the global telecoms supply chain.

Key initial takeaways:

New legal duties for communications providers: The government has decided to strengthen overarching legal duties on providers of UK public telecoms networks and services to incentivise better security practices. These legal duties will be set out in the Bill and communications providers will be required to ensure their networks and services conform to minimum security standards and limit the damage caused where these standards are not met.

The Bill envisages the government issuing secondary legislation setting out more specific security requirements that providers will need to follow to meet these duties. The requirements are likely to involve companies acting to:

• securely design, build and maintain sensitive equipment in the core of providers’ networks which controls how they are managed;
• reduce the risks that equipment supplied by third parties in the telecoms supply chain is unreliable or could be used to facilitate cyber-attacks;
• carefully control who has permission to access sensitive core network equipment on site as well as the software that manages networks;
• make sure they are able to carry out security audits and put governance in place to understand the risks facing their public networks and services; and
• keep networks running for customers and free from interference, while ensuring confidential customer data is protected when it is sent between different parts of the network.

The Bill will also be accompanied by new Codes of Practice to demonstrate how certain providers should comply with their legal obligations.

New government powers to remove high risk vendors: The Bill will provide the Government with new national security powers to issue directions to public communications providers to manage the risk of high risk vendors. While high risk vendors are already prohibited from the most sensitive “core” parts of the network, the Bill will also allow the government to impose controls on communications providers’ use of goods, services or facilities supplied by high risk vendors.

New responsibilities for Ofcom to monitor telecoms operator’s security: Alongside enforcing the new legislation, Ofcom will be given stronger powers to monitor and assess operators' security. This will include carrying out technical testing, interviewing staff, and entering operators’ premises to view equipment and documents.

Ofcom will also be given new powers to direct communications providers to take interim steps to address security gaps during the enforcement process, taking into account the Codes of Practice.

Weighty sanctions - a sting in the tail: Companies that do not comply with the new duties imposed by the Bill or do not follow directions on the use of high risk vendors could face significant fines of up to ten per cent of the turnover of the communications provider’s relevant business for the relevant 12 month period or, in the case of a continuing contravention, £100,000 per day. ‘Turnover’, for these purposes, will be calculated in accordance with such rules as may be set out by an order of the Secretary of State. And a ‘relevant business’ is defined as the provision of a public electronic communications network, service or the making available of associated facilities by reference to such network or service.

The DCMS Secretary of State will have powers to enforce compliance with designated vendor directions, including through fines, and can ask Ofcom to inspect and investigate and provide compliance reports to the government.

Next steps

The Bill will begin its passage through Parliament today. In parallel, the government will consult with industry stakeholders on the new framework before secondary legislation is laid in Parliament. The government will also launch a public consultation on the codes of practice after the Bill’s passage. This, alongside industry engagement in what the final Technology Security Requirements will look like, are important in insuring buy-in from industry of the new requirements.

Concluding comments

Given the significant government investment in rolling out the UK’s 5G and broadband networks, twinned with recent hostile cyber activity and the introduction of the National Security and Investment Bill earlier this month, it is unsurprising that cyber security and national security continue to sit high on the government’s agenda. The Bill, the National Security and Investment Bill and the NIS Regulations demonstrate the Government’s commitment in using legislation and industrial strategy to promote the UK as a global centre for cyber security.

By codifying more robust minimum security standards into legislation (as opposed to the current self-regulatory approach) and introducing substantial sanctions for non-compliance, the Bill should give communications providers an incentive to manage security risks to an appropriate level - which was stated to be missing previously under the Telecoms Supply Chain Review. It should also go some way to ensuring that vendors address any systematic engineering failures and that cyber security standards across providers are equalised.