In July 2019, the UK’s Department of Culture, Media and Sport (DCMS) concluded its Telecoms Supply Chain Review, aiming to create an evidence-based policy framework for the telecoms supply chain. As part of the review, the National Cyber Security Centre (NCSC) was tasked by DCMS to conduct a review on the use of high-risk vendors (HRVs) in UK telecoms networks.
Last week, on request from the government, the NCSC published technical advice to telecoms operators on their use of equipment from HRVs in the form of Telecoms Security Requirements (TSR). This advice coincided with the government’s announcement that it would put the TSR framework into legislation “at the earliest opportunity” through a comprehensive new telecoms security regime.
This blog post sets out what you need to know about the NCSC and TSRs, and how the latter are likely to be enforced.
What is the National Cyber Security Centre?
The NCSC is a government organisation, operational from October 2016 as part of the government’s National Cyber Security Strategy 2016-2020. Its purpose is to be the “authority on the UK’s cyber security environment,” with the role of “sharing knowledge, addressing systemic vulnerabilities and providing leadership on key national cyber security issues.”1
After the Telecoms Supply Chain Review, the NCSC carried out a security analysis for the DCMS into potential risks to the telecoms sector arising from changes in the telecoms supply chain and from existing practices employed by UK operators; and into the residual risks to the UK. After a request from the government, the NCSC published non-binding technical advice to telecom operators on their use of equipment from HRVs.
What are the Telecoms Security Requirements?
The TSRs are a set of guidelines directed at telecoms operators of FTTP (i.e. fixed fibre broadband) and “legacy” fixed access (i.e. copper) networks, and 4G and 5G mobile networks. They set out the NCSC’s recommendations on the use of HRVs in telecoms networks.
The TSRs are designed to mitigate the risks that HRVs present to telecoms networks, and introduce vendor diversity into the telecoms supply chain. The TSRs attempt to do so by identifying what a high-risk vendor is, and by setting out several ways to manage the security risks presented by high-risk vendors:
- The TSRs set out non-exhaustive criteria that the NCSC applies when identifying vendors as HRVs. These criteria are to be applied by telecoms operators when deciding whether to use a new vendor in their network, though operators are encouraged to engage with the NCSC when making this assessment.
- The TSRs introduce suggestions that limit the use of HRVs in telecoms networks, including thresholds on the use of HRVs in telecoms networks, and complete bans on the use of HRVs in certain core parts of telecoms networks. Specifically, these include:
- bans on the use of HRVs in certain “core” network functions, including general bans applicable to all networks, and specific bans applicable to 4G and 5G networks;
- bans on equipment from HRVs near sites that are significant to national security or sensitive networks (e.g. those directly relating to the operation of government or any safety-related systems in wider critical national infrastructure);
- hard caps on the use of HRVs in FTTP and 5G networks (note: these thresholds are not applicable to 4G networks or legacy networks), as follows:
- For FTTP and other gigabit and higher capable access networks, a maximum of 35% of premises passed by a network should be served by equipment from an HRV.
- For 5G networks, a maximum of 35% of expected network traffic volume on any particular network passing through HRV equipment, and at most 35% of base stations nationally on any network, should be served by equipment from an HRV.
- For both FTTP and 5G networks, a maximum of 35% of all the network elements of a particular equipment class in any particular network should be provided by an HRV.
- in respect of 4G and legacy fixed access (i.e. copper) networks, an expectation that at least two vendors will be used in the access network, with a roughly 50/50 split between vendors in that case (though no hard cap, like the 35% for 5G and FTTP, applies);
- a cap on the number of HRVs with any amount of equipment in any given network to one HRV; and
- use of an HRV is subject to there being in place a specific risk-mitigation strategy, designed and overseen by NCSC, relating to that HRV.
Beyond the specific measures noted above, the NCSC notes that for certain network functions, a case-by-case analysis is required to determine what controls are placed on HRVs.
How will the TSRs be enforced?
The TSRs are formal guidance, setting out the NCSC’s expectations regarding network security. Compliance with the TSRs is currently voluntary, and so their application and implementation is reliant on their adoption by telecoms operators.
The government has, though, proposed to give legislative backing to the TSRs through a comprehensive new telecoms security regime overseen by it and Ofcom. This regime will be introduced “at the earliest opportunity.”2 Until then, the government notes that the UK “expects UK telecoms operators to give due consideration to [the] advice, as they do with all their interactions with the NCSC.”
As such, though at present there is no strong enforcement backing of the TSRs, there is a clear and serious expectation from the government that telecoms operators comply with the guidance from the TSRs.
Application to the involvement of Huawei in the UK’s 5G network rollout
As part of its review, the NCSC concluded that Huawei would be an HRV under the criteria in the TSRs. The specific reasons for this classification are set out at paragraph 13 of the TSRs. In summary, the NCSC states that:
- Huawei has a large UK market share, and is subject to Chinese law and so could be ordered to act in a way harmful to the UK;
- China has a history of carrying out cyberattacks;
- Huawei’s engineering quality is low; and
- several of Huawei’s entities are subject to restrictions on their ability to trade with the US, which could affect the quality of their products in future.
Due to this classification, there is an expectation that the various restrictions and thresholds in the TSRs will be applied by telecoms operators regarding the use of Huawei as a vendor in their networks.
The TSRs also advise operators whose “Huawei estates” currently exceed the recommended level for an HRV to reduce them as soon as practical.
Practical application of the TSRs
There are several practical issues arising from the TSRs:
- Uncertainty as to the practical application of TSRs. It is unclear how certain matters in the TSRs will practically be implemented, including how the 35% threshold will apply in practice in respect of FTTP and 5G networks. For example, what exactly counts as a “network element” of a particular class? We would expect any legislation to clarify this.
- Dealing with mergers and divestments. After the rules become law, it is unclear how they would be applied when changes happen in the industry. If, for example, an HRV and another vendor merge, does that mean that all legacy equipment from either of them falls into the HRV category? Or all such equipment sold after the merger? What if an HRV hives-off a part of its business, meaning that operators will suddenly find that, in breach of the rules, they have equipment from two HRVs in their network? Again, we hope that the legislation will clarify these issues.
- Compensation? It is unclear whether any compensation will be offered to cover the costs of removing HRV equipment. The most likely scenario is that no such compensation will be offered. In that case, foreign investors in UK network companies should consider whether they would have a claim under any relevant Investment Protection Treaties. This could be an option if the government changes the law to require significant new expenditure that applies disproportionately to foreign-owned networks.
- Application to telco operators. The NCSC’s TSRs recommend that operators whose Huawei “estates” exceed the recommended thresholds reduce them as soon as practical. It is unclear what the NCSC’s advice is on removing the presence of other HRVs from telecoms networks where that presence would fall foul of the new TSR thresholds.