The Communications Act 2003
- The Communications Act 2003 ("the 2003 Act") provides the current regulatory framework for telecommunications security. The responsibility for the management of security and resilience risks for UK telecoms is shared between Government, Ofcom and industry. The 2003 Act, as amended by the Electronic Communications and Wireless Telegraphy Regulations 2011, requires public telecommunications providers to take measures to protect the security and resilience of their networks and services, and gives Ofcom enforcement powers. The relevant provisions are found at sections 105A to 105D of the 2003 Act.
The UK Telecoms Supply Chain Review
- In 2018-2019, the Government carried out a review of UK telecoms networks’ supply chain arrangements. Conclusions of the review were published in the UK Telecoms Supply Chain Review Report in July 2019.
- The Review identified that inadequate industry security practices were driven by a lack of incentives to manage risk, including the inability of the regulatory framework to drive improvements in cyber security. It concluded that higher standards and practices of cyber security are required across the telecoms sector as a technical pre-condition for secure 5G and full fibre networks.
- The Review called for a new, more robust telecoms security framework, that will meet security challenges both now and in the future whilst ensuring the timely roll-out of the UK’s critical digital infrastructure. It suggested that as technologies grow and evolve the UK must have a security framework that is fit for purpose and ensures the UK’s telecoms critical national infrastructure remains safe and secure both now and in the future.
- The UK Telecoms Supply Chain Review Report explained that the Government would establish a new robust security framework for the UK telecoms sector, marking a significant shift from the current model. The new framework is necessary to safeguard the UK’s national security interests and will build on existing capabilities. It will provide clarity to industry, whilst providing the necessary flexibility and powers for the Government to respond appropriately as risks, threats and technologies change.
- The Report also explained that the Government would create new powers to manage the risks posed by high risk vendors. High risk vendors are those who pose greater security and resilience risks to UK telecoms networks. This new framework will help to ensure that telecoms providers are managing the security risks posed by all suppliers.
- The final conclusions of the Review, which were agreed by the National Security Council in January 2020, set out the need for new national security powers to control the presence of high risk vendors in UK networks.
High Risk Vendors
- On 28 January 2020, in light of detailed technical and security analysis provided by the National Cyber Security Centre (NCSC), part of GCHQ, the Government announced that new restrictions should be placed on the use of ‘high risk’ vendors in the UK’s 5G and full fibre networks. It announced that such vendors should be:
- excluded from security critical network functions;
- excluded from sensitive geographic locations; and
- restricted to a minority presence in other network functions to a cap of up to 35%, subject to an NCSC-approved risk mitigation strategy.
- The Government stated in January 2020 that the NCSC would continue to review and update its advice as necessary. On 15 May 2020, the US Department of Commerce announced that new sanctions had been imposed against Huawei through changes to the foreign direct product rules. The new US measures restrict Huawei’s ability to produce essential components using US technology or software. The NCSC reviewed the consequences of the US actions, and reported to Ministers that they had significantly changed their security assessment of Huawei’s presence in the UK 5G network. The NCSC concluded that given the uncertainty the US sanctions created around Huawei’s supply chain, the UK could no longer be confident it would be able to guarantee the security of future Huawei 5G equipment affected by the change in the US foreign direct product rules. To manage this risk, the NCSC issued new advice to the Government on the use of Huawei in the UK telecoms network.
- The Government agreed with the NCSC’s advice, that to secure the UK’s public telecoms, providers should not use Huawei equipment affected by the US sanctions to build the UK’s future networks. Consequently, on 14 July it announced that public telecoms providers should:
- stop purchasing affected 5G equipment from Huawei after 31 December 2020; and
- remove all Huawei equipment from 5G networks by the end of 2027.
- The Government advised full fibre telecoms providers to transition away from purchasing Huawei full fibre equipment affected by the US sanctions. A technical consultation would determine the precise timetable from which point full fibre telecoms providers should stop procuring affected equipment.
- The NCSC currently provides advice to public telecoms providers on the risks presented by high risk vendors and on the measures that the NCSC recommends they adopt as a result. The Act provides the Government with powers to impose binding controls on public communications providers’ use of high risk vendors.
Telecoms Security Framework
Responsibilities of Telecoms Providers
- The Government plans to provide the UK with one of the most robust telecoms security frameworks in the world. Telecoms companies – providers of public electronic communications networks and services (see definitions in Annex A) – are already required to implement general security protections under the existing 2003 Act provisions. The Government intends to build on these practices to remedy the flaws identified in the Telecoms Supply Chain Review.
- To do this, the Act sets out new duties on telecoms providers to raise the bar for security. It requires telecoms providers, overseen by Ofcom, to design and manage their networks to protect against existing and future threats to the UK’s network security. This means identifying, reducing and eliminating risks to networks and services. Public telecoms networks and services will be protected by the provider safeguarding their availability and confidentiality, and making them secure from unauthorised interference.
- Where security compromises do occur, the impact on end-users can be substantial and potentially damaging. The Act therefore places duties on providers to take appropriate and proportionate action to ensure that the effects of compromises are limited, and to act to remedy the impact on networks and services.
- While networks are owned and operated by different companies, there are common measures that can be taken to level up security protections across all networks and services. Analysis was conducted during the Telecoms Supply Chain Review, including in-depth contributions from and interviews with telecoms providers, vendors and other industry representatives. This engagement, plus the practical findings of threat-based, intelligence-led penetration testing and industry-submitted reports of breaches, identified the areas posing greatest risk to networks and services. This has been supplemented by NCSC threat analysis that determines the security outcomes most needed to prevent security flaws.
- The Act makes provision for the Secretary of State to make regulations, setting out common security outcomes and the actions to be taken to meet them. This includes the ability to make regulations that provide for measures to be taken to prevent security compromises, and – where specific compromises are detailed in the regulations – measures to remedy the effects of compromises on the network or service. Such regulations may include, for example, specific security requirements that ensure networks and services are securely built, managed and overseen, and that vendor procurement and ongoing management support security.
- The UK has a competitive telecoms market which spans large, multinational companies through to small and micro businesses. Reflecting this diversity, Ofcom as the communications regulator and NCSC as the expert technical security authority provide support and advice, tailored to different types of provider, on appropriate detailed measures to secure their networks and services. The Government therefore recognises that guidance can provide clarity and certainty to providers for achieving compliance with legal obligations. The Act makes provision for the Secretary of State to issue a new telecoms security code of practice, that will set out to certain types of provider the detailed and specific security measures they should take to comply with the law. These codes will be based on NCSC best practice security guidance, and the Government will consult publicly on their initial implementation and subsequent revision. The codes of practice will be admissible in legal proceedings, and a court or tribunal must consider them where they are in force and where a provision is relevant to the proceedings.
- The European Electronic Communications Code Directive (EECC) included provisions relating to telecoms security. Some of these reflected the previous EU framework for electronic communications and were already transposed in UK law. Others are being given effect through the Act. These address the obligations on providers to report a range of security incidents to Ofcom. This will give Ofcom the information that they need to understand security across the industry.
Ofcom’s Regulatory Powers
- The Act will provide Ofcom with stronger regulatory powers to enforce the new regime. It sets out new responsibilities for Ofcom to assess providers’ security. Ofcom has a power, going beyond the current audit powers, to issue assessment notices. These will allow Ofcom to assess, or commission others to assess, providers’ compliance. In completing these assessments, Ofcom will take into account any relevant code of practice. Ofcom will be able to complete audits of providers’ security provisions and technical tests of a provider’s security, as well as require providers to complete penetration testing that will simulate tactics that may be used by attackers.
- The Act will provide for a range of penalties should providers contravene their legal duties. These penalties consist of fines to a maximum of 10% of turnover or a daily penalty of £100,000 for continuing offences. Equally there will be increased penalties for security related information offences of up to £50,000 per day or a maximum of £10 million.
- To ensure the Government can oversee the regime, Ofcom will be able to share information with the Government. For example, it can notify the Government about security incidents or the risks of security incidents. The Act also makes provisions for Ofcom to report on telecoms providers’ security to the Secretary of State. These reports will set out the extent to which providers are complying with new security obligations and are acting in accordance with the code of practice, as well as any action that Ofcom has taken in response to security compromises. Telecoms security will also be included in Ofcom’s periodic infrastructure report.
National Security Powers
- Telecoms security risks can to a large extent be managed and mitigated through technical measures (detailed in the security framework and the code of practice as set out above). However, the Government considers that some risks relating to the use of high risk vendors’ goods, services and facilities are not able to be mitigated effectively solely through the requirements that will be imposed as part of the new telecoms security framework. Further measures are needed to enable the Government to manage the risks posed by those vendors. Such risks may arise from technical deficiencies or considerations relating to the ownership and operating location of the vendor.
- This Act will introduce new powers to enable the Secretary of State to designate specific vendors for the purposes of issuing designated vendor directions to public communications providers (see definition in Annex A). The designated vendor directions will place restrictions on the public communications provider’s use of the goods, services or facilities supplied by designated vendors. The restrictions that may be imposed include requirements that prohibit or restrict providers’ use of designated vendors’ equipment.
- Designations and directions may only be made in the interests of national security. When considering whether to designate a vendor, the Secretary of State will take into account a range of factors, including:
- the strategic position or scale of the vendor in UK networks;
- the strategic position or scale of the vendor in other telecoms networks, particularly if the vendor is new to the UK market;
- the quality and transparency of the vendor’s engineering practices and cyber security controls;
- the vendor’s resilience both in technical terms and in relation to the continuity of supply to UK operators;
- security laws in the jurisdiction where the vendor is based and the risk of external direction that conflicts with the interests of national security;
- the relationship between the vendor and the vendor’s domestic state apparatus;
- the availability of offensive cyber capability by that domestic state apparatus, or associated actors, that might affect the national security of any country or territory.
- The Act will make it a duty for public communications providers to comply with any requirements specified in a designated vendor direction that follows designation, and will enable appropriate sanctions to be imposed for non-compliance. The Secretary of State will be responsible for taking forward any enforcement action as necessary, drawing upon information provided by Ofcom, who can be tasked under the Act’s provisions to gather information on telecoms providers' use of designated vendors’ goods, services and facilities in relation to their compliance with requirements imposed in a designated vendor direction.
- The Act will create a power for the Secretary of State to require information from public communications providers about their current or planned use of vendors’ goods, services or facilities, or about the future development of their networks or services. This power can also be used to gather information about goods, services or facilities that vendors propose to supply. The power will be used to ensure the Secretary of State is informed about the demand and supply side of the telecoms market, enabling relevant security assessments to be made.
- The Act will also enable the Secretary of State to require providers to prepare and provide a plan to the Secretary of State and Ofcom setting out how they intend to meet any requirements specified in a direction.