Earlier this week the UK government published the long-awaited Telecoms Supply Chain Review (available here), setting out its plans more heavily to regulate the UK telecoms sector in order to improve cyber security risk management, policy and enforcement.
The Review sets out the concerns about the security and resilience of the UK’s telecoms networks, as being “largely related to: (a) inadequate industry practices overall, driven by a lack of incentives to manage security risks to an appropriate level; and (b) the risk of national dependency on a small number of viable suppliers.”
In addressing these concerns, the Review calls for a ‘strong policy response’ and recommends the establishment of a new, robust security framework for the UK telecoms sector. The new framework will ensure operators build and operate secure and resilient networks, and manage their supply chains accordingly. In addition, operators must assess and mitigate the risks posed by vendors to network security and resilience.
The foundation for the framework will be a set of new Technology Security Requirements (TSR), overseen by Ofcom and government. The TSR will provide the industry with clarity on what is expected in terms of network security. The government will now develop the legislative framework and look to provide Ofcom with enhanced powers to enforce the TSR. Until then, both Ofcom and the government will work with industry to develop the TSR and secure their adherence to it on a voluntary basis.
The TSR and framework recommendations echo a similar approach published by the National Cyber Security Centre (the NCSC) under the Networks and Information Systems (NIS) Regulations in May 2018. Under the NIS Regulations, operators of essential services must implement 14 high-level security principles in the form of the Cyber Assessment Framework that are broken down into specific outcomes and indicators of good practice.
The new framework goes beyond the scope of the NIS Regulations, in the sense that it will apply to a wider range of telecoms providers than provided for in the NIS Regulations (namely top level domain and domain name server providers, and Internet exchange points), and include all companies that supply equipment and services in the UK telecoms supply chain. Having said this, we would expect the government and NCSC to draw inspiration from the Cyber Assessment Framework and the utility of such a model in designing the new legislative framework.
It remains to be seen how the controls will apply in the context of individual high risk vendors. The government has said that it will monitor developments relating to recent US actions in relation to the telecoms supply chain, and make final decisions in due course. The effect of that decision will be prolonged uncertainty for the industry around the shape of the UK telecoms supply chain at a critical time in the deployment of 5G and full fibre networks.