The UK government takes action on communications security
The UK communications sector is undergoing the deepest regulatory- driven change since the introduction of the General Data Protection Regulation (GDPR) a few years ago and even arguably since BT’s 1984 privatisation. That’s because public telecoms providers are facing one of the world’s toughest legislative cybersecurity regimes deriving from the Telecommunications (Security) Bill.
The Bill advances the UK government’s findings within its Telecoms Supply Chain Review Report to establish an enhanced legislative framework for telecoms security. It also provides the government with the powers to act on the use of high-risk vendors on national security grounds.
The changes come in response to the UK’s growing dependency on fixed and mobile broadband, driven by new working patterns and 5G ultimately becoming essential for autonomous vehicles and all sorts of safety dependant use cases. Everyone in the UK telecommunications industry, not just security and regulatory compliance specialists, will be impacted.
Remembering that 5G covers both mobile and fixed/ broadband networks, future UK economic performance is intertwined not only with how well 5G technology and supply chain risks are tackled, but also how vulnerabilities around “national capability to operate networks” are addressed.
As such, although connectivity such as Wi-Fi and 5G and the ever-growing number of Internet of Things (IoT) devices create new business models and lifestyle advantages, they have vulnerabilities that threaten the availability of services and make them juicy targets for hackers. The deployment of open 5G networks based on software driven, virtualised technology are all creating new vulnerabilities. Some threats affect network availability, while others risk data loss and theft.
What the Bill says
The Telecommunications (Security) Bill amends the Communications Act 2003 by placing strengthened telecoms security duties on public telecoms providers, providing new powers for the government to set out specific security requirements and issue codes of practice, and giving Ofcom new tools and responsibilities to ensure industry compliance.
Additional controls are being imposed on high-risk vendors posing a material security risk to network resilience. Although media reporting tends to focus on the procurement aspect of this Framework, it is significant that its scope extends into the design, build and operate phases of the technology lifecycle.
The Framework ensures that network management functions and tasks cannot be achieved from corporate administrative networks. The Bill covers the diversity of supply chains, the quality and security of equipment and managed service providers.
It also addresses the government’s concerns about global telco operators making decisions for reasons that may not be in the UK’s interests. Global operators that may have allowed commercial benefits, accrued at a multi-national level, to drive offshoring instead of considering infrastructure risk at a national op-co level might be a case in point.
The time has come for everyone in the communications industry to elevate their thinking about the risks to critical national infrastructure as they go about their day-to-day work.