UK Telecommunications Security Bill aims to improve telco security for 5G rollouts

The UK Government recently revealed a new draft Telecommunications (Security) Bill. Though the headlines have focused on the fact the bill effectively bans Huawei from UK telecoms networks, there is more to the bill than just removing high-risk vendors.

The bill is driven by the prospect of 5G, the complexity it adds to networks, and increased threats from foreign actors. It updates the terminology around resiliency and what constitutes an incident, adds new security requirements to telecoms operators, and gives the telecoms regulator Ofcom new powers and responsibilities. “This groundbreaking bill will give the UK one of the toughest telecoms security regimes in the world and allow us to take the action necessary to protect our networks,” said Digital Secretary Oliver Dowden.

While many aspects of the bill won’t be a massive step change for operators, experts still believe this will drive renewed efforts and investments around security and could eventually be a benefit for enterprises using telecoms networks.

What is the UK Telecommunications Security Bill?

The bill gives the government powers around how telecoms operators can use designated “high-risk” vendors in their networks, effectively enabling the secretary of state to tell companies to remove vendors such as Huawei from the UK’s infrastructure. The government said that without such powers “commercial interests may take precedence over national security risks to UK telecoms networks.”

The bill also includes new obligations on providers – defined as providers of public electronic communications networks and services – and will require them to take appropriate and proportionate measures for:

• Preparedness: identifying, preparing for, and reducing risks of security compromises occurring
• Prevention of adverse effects on the network or service arising from security compromises
• Remediating and mitigating effects of security compromises

The bill, which includes updates to the 2003 Communications Act, also widens the definition of security compromise to:

• Anything that compromises the availability, performance or functionality of the network or service
• Anything that enables unauthorised access to, interference with or exploitation of the network or service
• Anything that causes signals or data to be lost or altered without permission of the telecoms provider
• Anything that occurs in connection with a network or service and causes a connected security compromise

Telecoms regulator Ofcom will have responsibility for policing and enforcing compliance with the regulation, as well as new powers to compel operators to take action and issue penalties for failures. Ofcom’s assessments and audits can include the testing and inspection of networks, services, premises, equipment, documents and information, all of which the operator must cover the costs of.

Operators will also be required to inform Ofcom and affected parties of a security compromise. Paul Graham, partner at law firm FieldFisher, adds that telecoms firms already have incident reporting obligations other under laws, and in many ways the act codifies what they understand that they need to have done anyway, so he doesn’t see a massive change in their obligations in that regard.

The bill always leaves avenues open for secondary legislation as well as codes of practice. The specifics of what this will entail is unknown, but the government has said they will likely require firms to:

• Securely design, build, and maintain sensitive equipment in the core of providers’ networks
• Reduce security risks from third party equipment in the telecoms supply chain
• Control access to core network equipment on site as well as the network management software
• Carry out security audits and put governance in place to understand the risks
• Keep networks running free from interference while ensuring data is protected when it is sent between different parts of the network

Firms found to be in contravention of a security duty will be liable for fines up to 10% of turnover or £100,000 a day for continued non-compliance. For contravention of an information requirement or refusal to explain a failure to follow a code of practice, operators can be fined up to £10 million or £50,000 per day on a continual basis.

Are current telecoms networks vulnerable?

Even before mass roll-out, vulnerabilities have been found within 5G standards and protocols, many of which are legacy issues brought forward from previous generations. An EU assessment warned  that while many of these vulnerabilities are not specific to 5G networks, “their number and significance is likely to increase” due to the increased level of complexity of the technology around and greater reliance on 5G infrastructure.

Threat actors are taking more interest in telecoms networks. Chinese-affiliated groups APT41 and APT10 are both suspected of conducting attacks on telecoms operators worldwide in recent years. The latter group’s 2019 Operation Soft Cell saw gigabytes of data stolen from an estimated 10 telco providers and reportedly gave attackers total control of compromised networks to the point they could have brought down entire cellular networks if desired.

The UK government has said there is a “lack of incentives” for telecoms providers to apply security best practices “where there are no clear commercial incentives for investment.” No one CSO spoke with for this story says the telecoms firms are doing a poor job on security, but all see 5G adding layers of complexity the operators will need to address.

“The Telecommunications Security Bill lays out more specific security requirements and codes of practice for public telecoms companies to follow,” says Andrew Roughan, managing director of Plexal. “The risk landscape has changed dramatically over the past 20 years, not the least with recent concerns over international hostile actors, so there were many aspects of the Communications Act that need to be adapted to our current digital economy. Ultimately security has to be the enabler of digital transformation, so it’s good to see this is the focus of the new bill.”

Roughan says the bill will be more burdensome for operators in the sense that it will involve rigorous systems across all suppliers, but it shouldn’t be a huge change as security has always been a primary concern for telecommunications. “At present, telecoms companies themselves are responsible for assessing potential risks and establishing their own security standards in-house, says ProPrivacy Digital Privacy Researcher Attila Tomaschek. “The bill would be instrumental in bringing about new standards of accountability in the industry that have been thus far insufficient in fostering an environment in which security is regarded as a priority.” 

The bill has yet to go through parliament and likely won’t be passed until sometime in 2021, depending on how many amendments are made during readings plus conflicting priorities post-Brexit taking precedent.

While the UK is one of the first countries to create legislation addressing telecom security for the 5G era, it is unlikely to the be the last. ENISA in the EU and CISA in the US have both released documentation on how to secure 5G, while the US is also pushing its Clean Network initiative, which all contain similar requirements around how to approach security for the new standard.

5G means more software, more vendors, more complexity

Partly influenced by the 2019 supply chain review by DCMS, the bill also creates sustainable diversity in the supply chain as well as incentivizes telco operators to improve security standards in 5G, says FieldFisher’s Graham. He adds that 5G security is a “government-lead concern” because its introduction means much more things will be network based, which creates potential risks and opportunity for threat actors.

“With the potential for autonomous vehicles, AI, and the Internet of Things, you can see the commercial incentive for another nation-state to cause havoc in telecoms,” Graham adds. “They’re not ignoring the issue right now, but the bill is putting it on a real enhanced statutory footing.”

“5G is going to increase the security boundaries hugely,” says Jimmy Jones, telecoms cybersecurity expert at Positive Technologies. “You’re going to see more APIs entering the network we’ve never seen on telecoms networks, and Gartner says by 2022 APIs are going be the most attacked security vector. When you start to slice those networks to support different types of IoT activity – the ultra-low latency, high-reliability use cases – all those are going to multiply the network’s complexity by many times.”

On the vendor side, Jones says that mobile operators already planned for a future without Huawei and the bill makes reentry to the market even less likely for the company. For the rest of the ecosystem, the move toward standardizations and more niche use cases around 5G mean there will be many more small vendors that telecoms firms will likely have to work with.

The UK government has announced plans to create certification labs that will vet new vendors coming into the market, but Jones warns the lab will need to ensure it works quickly enough to keep up with market demands while at the same time the operators will need to ensure that are keeping track of all the new niche partners supplying niche 5G use cases. Operators will also have to adapt to having new relationships with both their vendors and customers as they will need to manage a more software-defined 5G network with a larger and more complex attack surface.

“I’m completely confident that new labs will be able to test and quality assure solutions,” he says.  “But with all those different vendors, how do you keep on top of that? The complexity and the volumes are going to be huge.”

Telecoms adding cybersecurity to resilience requirements

As the bill is yet to pass parliament at this writing, telecoms firms haven’t been forthcoming with their views on the bill. “We welcome the government’s establishment of clear security standards for the UK telecoms industry,” a BT spokesperson tells CSO. “We’ll continue to work closely with the NCSC and other government bodies to develop these standards further and provide a framework that sets a world-leading standard for the security of the UK’s networks.”

Hamish MacLeod, director at mobile networks trade association Mobile UK said, “Network security and resilience have always been a top priority for the UK’s mobile network operators. We support the framework for the Telecoms Security Bill and will continue to work closely with the government to ensure the objectives of the bill are fulfilled and to build on the already robust security measures mobile operators have in place.”

While the operators will likely face increase costs for security resources, stronger vetting of vendors, and likely increased payments to Ofcom for assessments and audits, telecoms firms are used to working in highly regulated environments toward high levels of resilience. The firms should be relatively well-placed to deal with the increased expectations placed upon them.

“UK operators on the whole already tend to be pretty conscientious,” says Jones. “They already spend more than the average on security. Having legislation in place means that budget is even more enshrined, so I think it will help them internally.”

Jones says the bill might spur investment by the operators to ensure network security is up to scratch by the time it comes into law, but like with GDPR he doesn’t expect to see large fines issued in the short term by Ofcom.

On the regulator side, both he and FieldFisher’s Graham believe Ofcom will need to source more security expertise – either externally or using staff from other agencies and bodies – to fulfill its new role around security assessments and audits. While focusing on security might be new, the communications regulator will be used to keeping the operators in check on issues of resilience.

“Telecoms networks have to adhere to five-nines uptime,” says Jones. “That resilience has been nailed into their licensing agreements and telecoms operators have already been working to that level of resilience since the year dot. Where it was resilience because of a power supply or because of a flood or a fire, cybersecurity is just another tier and layer of resilience that the telecoms operators have to work to.”

Graham highlights the outage Telefonica suffered in 2019 due to the expiry of a security certificate in some Ericsson software. The Ofcom investigation led to new lessons it expected operators to learn, In 2017, Three was fined £1.9 million after a single point of failure in a data centre meant people in the south of England couldn’t call the emergency services.

For customers that rely on telecoms network to deliver services, Jones says the regulation should be good for business. “It creates an environment that they can utilize and really expand their own businesses,” he says. “If you can rely on the security of that network, then that allows you to innovate in the areas that you’re good at, whatever that industry may be.”