UK government enshrines law to strip out ‘high-risk’ suppliers’ tech from networks

The UK government has passed into law legislation that it says will boost the security of the UK’s public telecoms networks and services and protect against the threat of high-risk equipment suppliers, principally those from China and, in particular, Huawei.

The government first introduced the Telecommunications (Security) Act in November 2020 in what it said was an attempt to drive up telecoms security standards and better protect people and businesses from hostile cyber attacks by state actors or criminals. This, it said, has been given even more pressing need by the roll-out in the UK of 5G and full-fibre broadband, bringing increased speed, scale and processing power to digital communications.

The Act’s genesis started when the Trump US government added Huawei to its Entity List on 16 May 2019 and, although not naming specific companies or territories, the initial ban aimed to “protect America from foreign adversaries who are actively and increasingly creating and exploiting vulnerabilities in information and communications technology infrastructure and services”.

The situation was ramped up with the decision on 15 May 2020 to extend restrictions on the sale of hardware and software to so-called “high-risk” suppliers, principally Chinese firms such as Huawei, leading to the company being unable to buy equipment from longstanding suppliers.

In July 2020, the UK government committed to a timetable for the removal of Huawei equipment from the country’s growing 5G communications infrastructure by 2027 – effectively a huge U-turn on the decision it took in January 2020 to restrict Huawei’s presence to just the radio access network element of 5G setups. The decision was said to have been made after the UK’s National Cyber Security Centre (NCSC) said the US move had created uncertainly around the Huawei supply chain, and the UK could no longer be confident that it would be able to guarantee the security of future Huawei 5G equipment.

As a consequence, the UK government made it illegal for UK telcos to purchase Huawei 5G network equipment from the end of 2020. In the second parliamentary reading of the Telecommunications (Security) Bill, the government decreed that local operators must stop installing any equipment from high-risk suppliers in 5G networks from the end of September 2021. Even as it made that decision, the government conceded that there would be a heavy price to pay, mainly by the country’s mobile operators.

Speaking to the House of Commons Science and Technology Committee in July 2020, Andrea Dona, head of networks at Vodafone UK, and Howard Watson, chief technology and information officer at BT Group, warned that to rip out long-established Huawei technology from their networks, not only from nascent 5G infrastructures but also long-established 4G and 3G nets, would cost both firms sums of money in the small billions.

They said they would need at least five years to carry out the work to avoid potential service blackouts and to avoid damaging both firms’ commitments to further developing a 5G infrastructure across the UK. Vodafone calculated in February 2020 that removing Huawei technology from its networks would cost about €200m over two years, while BT’s estimate in January 2020 was £500m over five years.

The Act has now received Royal Assent and the government insists that the country now has one of the strongest telecoms security regimes in the world. It noted that a number of other countries have already introduced, or are introducing, similar measures, including India, Germany and the Netherlands.

Previously, telecoms providers in the UK were responsible for setting their own security standards in their networks. Attacks on these networks can ruin lives and businesses, but they can also cost telecoms firms eye-watering sums to fix – anything up to £60m.

The legislation sets out new legal duties that telecoms operators will have to meet to keep public networks secure. It also gives the government new national security powers to designate telecoms suppliers as high risk and impose controls on telecoms providers’ use of goods, services or facilities supplied by them. Companies that fall short of the new duties or do not follow directions on the use of high-risk suppliers could face heavy fines of up to 10% of turnover or, in the case of a continuing contravention, £100,000 a day.

With the Act on the statute books, the government will now be able to make regulations via secondary legislation, setting out the specific requirements public telecoms providers will need to follow to meet their duties.

Requirements for telcos could include the need to: securely design, build and maintain sensitive equipment in the core of their networks which controls how they are managed; reduce the risks that equipment supplied by third parties in the telecoms supply chain is unreliable or could be used to facilitate cyber attacks; carefully control who has permission to access sensitive core network equipment on site, as well as the software that manages networks; make sure they are able to carry out security audits and put governance in place to understand the risks facing their public networks and services; and keep networks running for customers and free from interference, while ensuring confidential customer data is protected when it is sent between different parts of the network.

“This is a major step forward in protecting our internet traffic and the millions of calls we make every day,” said Julia Lopez, minister for media, data and digital infrastructure. “Risks to our telecoms networks can never be completely prevented, but we have raised security standards across the board. We can now manage our networks confidently and deliver the revolutionary benefits of 5G and full-fibre broadband to people and businesses.”

The government said it will now consult on the new framework ahead of it being brought into force, and on a new code of practice setting out technical guidance to help telecoms providers comply with their legal duties.

Communications regulator Ofcom has been given the duty of monitoring and assessing the security of telecoms providers and will publish and consult on its own guidance on how certain providers should comply with their legal obligations. Ofcom will have the ability to enter operators’ premises to view and test equipment, perform on-site interviews and request documents.