The Telecoms Security Bill
Key considerations for Telecoms Providers
The Telecommunications (Security) Bill was introduced into Parliament on 24 November 2020. The Bill seeks to introduce a new regulatory framework for telecommunications security in the United Kingdom (UK) and provides the government with extended powers to identify 'high risk' vendors that pose risks to the UK's national security and issue directions to telecoms providers to control their use of goods, services or facilities provided by those 'high risk' vendors
If passed, telecoms providers must ensure their networks and services conform to the government's security standards and measures and failure to do so could lead to a penalty fine of up to: (i) 10% of the turnover of the communications provider's business for the relevant 12-month period; or (ii) in case of the continuing contravention, a fine GBP 100,000 per day. The Digital, Culture and Media Secretary of State (DCMS) will determine the proportionality and appropriateness of the fine.
What is the current status of the Bill?
At time of writing the Bill is currently in Report stage in the House of Commons. This gives MPs an opportunity, on the floor of the House, to consider further amendments to a Bill which has been examined in committee. Report stage is usually followed immediately by debate on the Bill's third reading.
What is the rationale behind the Bill?
In October 2018, the government launched the UK Telecoms Supply Chain Review to address three key questions, namely: (i) how to incentivise telecoms providers to improve security standards and practices in 5G and full fibre networks?; (ii) how to address security challenges posed by vendors?; and (iii) how to create a sustainable diversity in the telecoms supply chain?. The Review concluded that existing practices in the UK telecoms industry were not sufficient to tackle cyber security risks and the lack of diversity across the telecoms supply chain created the possibility of national dependence on single suppliers, and this could expose the UK to national security risks and threats.
As such, the Review recommended the establishment of a new security frameworks for the UK's public telecoms providers with its foundations set by new telecoms security requirements overseen by Ofcom and the government. It also recommended new national security powers for the government to control the presence of high risk vendors in UK networks. It is from this recommendation the Bill was created.
What are main takeaways of the Bill?
- New legal duties for telecom providers: telecoms providers must ensure their networks and services conform to security standards including the implementation of security measures to prevent, remove or manage risks to the security of their network and services. This will also likely involve: (i) designing and managing their networks to protect against existing and future threats to the UK network security; (ii) reducing the risks that equipment supplied by third parties in the telecoms supply chain is unreliable or could be used to facilitate cyber-attacks; (iii) keeping networks running for customers free from interference; and (iv) protecting confidential customer data when it is sent between different parts of the network.
- New government national security powers to remove high risk vendors: the Bill will allow the government to impose controls on telecoms providers’ use of goods, services or facilities supplied by 'high risk' vendors. At present the government has issued a draft designation notice and draft designated vendor direction for telecoms providers to stop installing / purchasing a particular 'high risk' vendor's equipment in 5G networks from 30 December 2020 and by 31 December 2027, there must be no dependence or trace of any of the 'high risk' vendor's equipment, services, and facilities in the telecoms providers network and operations.
- New responsibilities for Ofcom to monitor telecoms operator’s security: Ofcom will be given stronger powers to monitor and assess telecoms providers' security measures. This will include carrying out technical testing, interviewing staff, and entering providers’ premises to view equipment and documents. Ofcom will also be given new powers to direct telecoms providers to take interim steps to address security gaps during the enforcement process, taking into account the codes of practice to be issued by the Secretary of State.
Liability for/consequences of non-compliance by telecoms providers?
Companies that do not comply with the duties imposed by the Bill or do not follow directions on the use of high risk vendors could face penalty fines of up to: (i) 10% of the turnover of the communications provider's business for the relevant 12-month period; or in case of the continuing contravention a fine GBP 100, 000 per day. The DCMS will determine the proportionality and appropriateness of the fine.
Any other material information that we should bear in mind?
The DCMS has published a draft Electronic Communications (Security Measures) Regulations 2021 to supplement the Bill. Some key points from the Regulations include the requirement for a telecoms provider to: (i) redesign and reconstruct existing parts of the electronic communications network (so far as is appropriate and proportionate) to reduce risk of security compromises; (ii) take proportionate measures to monitor and analyse signals for the purpose of identifying anomalous activity; (iii) take proportionate measures to identify and reduce risks of security compromises in the supply chain; and (iv) have appropriate written plans to manage the termination of, and transition from, contracts with third party suppliers whilst maintaining the security of the network or service.
The Telecoms Diversification Taskforce has published a report in April 2021 which sets out recommendations to help the Government in delivering its goal of diversifying the 5G supply chain. The key recommendations of the report includes: (i) collaborating with telecoms standards-setting bodies to encourage best practice in security and open networks; (ii) Identifying R&D investment opportunities to build UK capability for next generation network technology; (iii) Identifying the right investments and interventions needed to accelerate the development and adoption of Open RAN technology, including establishing R&D funds for the development of new products and the design of fit for use testing facilities; and (iv) Creating the right environment via policy/regulation to ensure diversification in the supply market.
Looking ahead / what telecoms providers should be considering?
Telecoms providers should seek legal advice on the legal, contract and political implications of the proposed changes in law on their existing contracts as well as create a robust contingency plan to address, in particular the Bill and designated notices becoming law prior to migration to a third party. Those relying heavily on 'high risk' vendors will need to consider amongst others: (i) the material issues for continuity of service and the material operational ramifications as existing contracts with 'high risk' vendors can no longer be renewed; (ii) potential claims of breach of contract by 'high risk' vendors; (iii) whether the proposed regulatory changes gives rise to a force majeure event; (iv) what termination rights they have under the contract and whether a termination fee or other charges are payable and how material is the fee/charges in the context of the contract's value; and (v) how migration from the 'high risk' vendors' services, equipment and facilities will occur (the government has not provided guidance on this).
Laura Hartley & Karim Vellani, contributed to the writing of this article.