Stricter security rules will be enforced around the deployment of future mobile networks in the UK, and telecoms companies could face hefty fines if they fail to adhere to higher standards, according to a new law on the security of 5G and fiber networks.
A new draft telecommunications security bill presented to Parliament aims to strengthen the security of next-generation networks, and to provide the government with "unprecedented" powers to force telecoms giants to stick to the new rules. Part of the law includes managing high-risk vendors, which means that the government will be able to impose controls on providers' use of equipment supplied by companies that are deemed unsafe.
Last July, following advice from the National Cyber Security Centre (NCSC), the UK government ruled that Huawei's equipment should be entirely removed from the country's 5G networks by 2027. The telecommunications security bill now enshrines that ruling into law, and creates the powers that will allow the government to enforce the decision.
SEE: 5G smartphones: A cheat sheet (free PDF) (TechRepublic)
The new bill will also set out various other security standards, which are still to be defined in secondary legislation. Those requirements are likely to include safer designs and maintenance of sensitive equipment, regular security controls and audits, and protection of customer data. New codes of practice will also be designed to clarify how providers should comply with their new legal obligations.
Telecoms watchdog Ofcom will be in charge of monitoring providers' compliance through technical testing, interviewing staff, and entering operators' premises to view equipment and documents. Companies that fail to meet the new requirements could face fines of up to 10% of turnover or, in the case of a continuing contravention, £100,000 ($133,600) per day.
The new bill will be a welcome piece of legislation for telecoms companies, which brings clarification in the complex field of security standards – one that was punctuated, in the Huawei decision-making process, by various confusing U-turns.
"This provides clarity and underlines the ever-growing importance of security in the rollout of next-generation networks," Paolo Pescatore, analyst at PP Foresight, told ZDNet. "Stripping Huawei entirely from networks represents a major headache for telcos in terms of cost, time, and holding back further innovation. Telcos need to press on and ensure a seamless process with minimal disruption to users."
The UK's leading telecommunications provider BT has already started breaking ties with Huawei ahead of the 2027 deadline. Earlier this year, the company signed deals with Nokia and Ericsson, which together will manage BT's 5G traffic once the deployment is completed.
Network providers have already kick-started the groundwork on new security standards, therefore, but the new telecommunications bill will provide much-needed extra detail on the ways that the requirements will work in practice.
A spokesperson for BT said: "The security of our networks is paramount. We therefore welcome the UK government's establishment of clear security standards for the UK telecoms industry. We'll continue to work closely with the NCSC and other Government bodies to develop these standards further and provide a framework that sets a world-leading standard for the security of the UK's networks."
Huawei, for its part, has been pushing hard over the last few months to demonstrate that the UK benefits from relying on the Chinese giant's mobile network equipment. A recent study by Oxford Economics, which was sponsored by the company, found that Huawei contributed £3.3 billion ($4.40 billion) to UK GDP last year, while supporting 51,000 jobs through its economic activity.
Huawei's vice president Victor Zhang condemned the telecommunications security bill as "politically-motivated" and based on an unfair evaluation of the risks. Warning that the new law will move Britain into the digital slow lane, Zhang said: "It's disappointing that the government is looking to exclude Huawei from the 5G rollout."
The new security bill comes off the back of a telecoms supply-chain review that was conducted last year, and found that although telecommunications providers are responsible for setting their own standards, the companies have little incentive to adopt strong security practices. Commercial priorities, found the report, often take precedence over risk assessments, and cyber security is not seen as enough of a priority.
At the same time, cyberattacks are on the rise, with hostile activity driven by state actors and criminals, especially in Russia, China, North Korea and Iran, said the report. The UK government has pitched the new bill as a means to stop espionage attacks, as well as to prevent networks from being remotely disabled because of insecure connections to other networks.
This is particularly relevant for next-generation networks, which also require next-generation security protocols. 5G connectivity will be enabled by software running on commodity hardware, rather than proprietary hardware, with many core functions moving closer to the edge of the network.
"With each new generation of network, there is an ever-increasing reliance on software," said Pescatore. "Security is paramount in a world where networks are becoming software-driven and prone to attacks. The arrival of gigabit connectivity paves the way for endless possibilities, which needs to be underpinned by stringent security guidelines."
The government will now consult with industrial players before drawing secondary legislation to be laid in Parliament. A public consultation will also be launched to gather views on who the bill should affect and how quickly work should be carried out.