Last week the UK Government introduced the Telecommunications (Security) Bill to Parliament, which would give the Government new powers to control telecommunications providers thought to present a security risk, and to implement the UK ban announced earlier this year on the installation of equipment from Huawei and high risk vendors in 5G networks from the end of September 2021.
These new rules will directly impact public telecoms providers (public electronic communications networks and services – PECN and PECS – and providers of ‘associated facilities’ under the Communications Act 2003) and equipment vendors that are designated by the Sectary of State under the new powers. While these proposals have been signalled for some time, the wider powers granted to the government under this regime could create further disruption and opportunities across the telecommunications sector in the UK as the rollout of 5G in the UK continues to accelerate.
The new proposals to address national security issues in telecoms networks sit alongside the Government’s plans to introduce a comprehensive and wide ranging review mechanism for foreign investment into the UK under the National Security and Investment Bill revealed recently, which already indicated a focus in scrutiny on the Communications sector (including PECN and PECS and associated facilities) and related sectors such as Data Infrastructure and Critical Suppliers to Government.
Ban on equipment from high risk vendors in 5G networks
- The new Bill will allow the UK Government to implement promises made in July 2020 to ban the use of equipment of Huawei equipment in 5G networks, in response to risks flowing from the imposition of US trade restrictions on Huawei (see the post on our Sanctions and Export Controls Update blog). It will do so by introducing new national security powers to manage risks posed by ‘designated vendors’ identified by the Secretary of State.
- The Secretary of State will be given the power to issue directions to public communications providers to prohibit, restrict or otherwise control the use of goods, services or facilities supplied, provided or made available by designated vendors, where they consider that such directions are necessary in the interests of national security and proportionate to the aims of such directions.
- When designating vendors, the Secretary of State must take into account a range of factors including the quality, reliability and security of products, the organisations involved in development and production, and the ultimate control of such organisations, and the degree to which the vendor or such organisations may be susceptible to being influenced or required to act contrary to the interests of national security. The Secretary of State must consult with the vendor in question prior to issuing a designation notice, and a copy of the notice must be laid before Parliament – however these safeguards are disposed of where the Secretary of State considers doing so would be contrary to the interests of national security.
Telecoms Security Framework
- The Bill amends the Communications Act 2003 by making public telecoms providers subject to strengthened duties relating to security. Providers will be required to take appropriate and proportionate measures to identify and reduce the risks of occurrence of security compromises occurring (including network availability/performance, unauthorised access, and confidentiality of signals or data), as well as preparing for such occurrences and taking actions to limit, remedy and mitigate any damage following a security compromise. Secondary legislation will be introduced to detail specific security requirements for providers – including targeted action relating to the secure design, construction and maintenance of network equipment handling sensitive date, controls on access to sensitive parts of networks, addressing supply chain risk, and introducing processes to understand risks.
- The Secretary of State will have powers to issue codes of practice to provide guidance on these legal obligations (e.g. covering technical measures required to control access to networks and data). The government has also announced a forthcoming consultation on three tiers of telecoms provider that will be covered by the initial code of practice:
- Tier 1 – the largest national telecoms providers, whose availability and security is critical, will be subject to intensive monitoring and oversight.
- Tier 2 – medium size telecoms providers will be subject to some level of monitoring and oversight, who will be expected to implement the code of practice, but would have additional time to do so.
- Tier 3 – small business and micro enterprises in the telecoms sector, subject to more limited oversight, will need to comply with the new laws but would not be obligated to comply with the code of practice.
The Bill makes it a duty for public communications providers to comply with requirements set out in a designated vendor direction and introduces financial penalties for non-compliance. Ofcom can be required to gather information and provide reports to assist the Secretary of State in assessing compliance with these directions. The Secretary of State will be responsible for assessing and enforcing compliance with any direction requirements, and is empowered with a civil penalty regime, whereby they can impose fines of up to 10% of a provider’s relevant turnover or up to £100,000 per day for continuing contravention. Penalties can be imposed for non-compliance with information and non-disclosure requirements of up to £10 million or £50,000 per day. Ofcom will be made subject to a new general duty to ensure that public telecoms providers comply with the security duties impacted by the new framework, and will be given corresponding powers to enable it to monitor and enforce compliance, to receive information from telecoms providers, and to require system tests, interview staff, and enter premises to inspect equipment. Ofcom will be given powers to issue financial penalties for non-compliance and to issue directions to companies to address security gaps during or following any enforcement process. Penalties for contravention of security duties will be up to 10% of a provider’s relevant turnover or up to £100,000 per day for continuing contravention, and for contravention of information requirements or refusing to explain failures to follow a code of practice, up to £10 million or £50,000 per day.