By Mike Conradi, Christian Keogh & Joana Santos
On 5 February 2020, we first posted about the National Cyber Security Centre’s (NCSC) publication of technical advice to telecoms operators on their use of equipment from high-risk vendors (HRVs) in UK telecommunications networks – i.e. the Telecoms Security Requirements. Since that blog post, the NCSC has published revised TSRs, and we have revised our original post to provide an up-to-date summary of the TSRs as they apply at today’s date.
At the time of our original post, Huawei was considered by the NCSC to be a HRV, with one of the factors contributing to this assessment including that several of Huawei’s entities are subject to ever-increasing restrictions on their ability to trade with the US, which could affect the quality of their products in future. At the time, it was not known what longer term such restrictions would have on supply to the UK, and whether those restrictions would remain in place or change.
Since our original blog post, additional sanctions have been placed on Huawei by the US, and existing restrictions on Huawei have remained in place for over 12 months. The additional sanctions on Huawei’s supply chain and a re-assessment of the general situation on restrictions placed on Huawei, has led the NCSC has stated that it no longer considers that the UK will be able to manage the security risks of using affected Huawei technology in future 5G networks. The effect of the revised guidelines, is that UK telecommunications providers:
- are prohibited from purchasing new Huawei 5G equipment after 31 December 2020; and
- must remove and replace all existing Huawei 5G equipment from their networks by 2027.
Separately to the NCSC’s revised guidelines, the National Security Council has announced bans on the purchase of new Huawei 5G equipment after 31 December 2020, and a requirement for all UK 5G networks to be Huawei-free by the end of 2027.
Huawei and use of high-risk vendors in UK telecoms networks
In July 2019, the UK’s Department of Culture, Media and Sport (DCMS) concluded its Telecoms Supply Chain Review, aiming to create an evidence-based policy framework for the telecoms supply chain. As part of the review, the National Cyber Security Centre (NCSC) was tasked by DCMS to conduct a review on the use of high-risk vendors (HRVs) in UK telecoms networks.
On request from the government, the NCSC published technical advice to telecoms operators on their use of equipment from HRVs in the form of Telecoms Security Requirements (TSR). This advice coincided with the government’s announcement that it would put the TSR framework into legislation “at the earliest opportunity” through a comprehensive new telecoms security regime. Since their first publication on 28 January 2020, the NCSC published revised TSRs on 14 July 2020, specifically updating its risk mitigation strategies in respect of the use of Huawei equipment in UK telecommunications networks, following the impact of the imposition of additional sanctions on Huawei.
This blog post sets out what you need to know about the NCSC and TSRs, and how the latter are likely to be enforced.
What is the National Cyber Security Centre?The NCSC is a government organisation, operational from October 2016 as part of the government’s National Cyber Security Strategy 2016-2020. Its purpose is to be the “authority on the UK’s cyber security environment,” with the role of “sharing knowledge, addressing systemic vulnerabilities and providing leadership on key national cyber security issues.”1
After the Telecoms Supply Chain Review, the NCSC carried out a security analysis for the DCMS into potential risks to the telecoms sector arising from changes in the telecoms supply chain and from existing practices employed by UK operators; and into the residual risks to the UK. After a request from the government, the NCSC published non-binding technical advice to telecom operators on their use of equipment from HRVs.
What are the Telecoms Security Requirements?
The TSRs are a set of guidelines directed at telecoms operators of FTTP (i.e. fixed fibre broadband) and “legacy” fixed access (i.e. copper) networks, and 4G and 5G mobile networks. They set out the NCSC’s recommendations on the use of HRVs in telecoms networks.
The TSRs are designed to mitigate the risks that HRVs present to telecoms networks, and introduce vendor diversity into the telecoms supply chain. The TSRs attempt to do so by identifying what a high-risk vendor is, and by setting out several ways to manage the security risks presented by high-risk vendors:
- The TSRs set out non-exhaustive criteria that the NCSC applies when identifying vendors as HRVs. These criteria are to be applied by telecoms operators when deciding whether to use a new vendor in their network, though operators are encouraged to engage with the NCSC when making this assessment.
- The TSRs introduce suggestions that limit the use of HRVs in telecoms networks, including thresholds on the use of HRVs in telecoms networks, and complete bans on the use of HRVs in certain core parts of telecoms networks. Specifically, these include:
- complete bans on the use of HRVs in certain “core” network functions, including general bans applicable to all network functions, and specific bans applicable to specific 4G and 5G network functions;
- bans on equipment from HRVs near sites that are significant to national security or sensitive networks (e.g. those directly relating to the operation of government or any safety-related systems in wider critical national infrastructure);
- hard caps on the use of HRVs in FTTP and 5G networks (note: these thresholds are not applicable to 4G networks or legacy networks), as follows:
- For FTTP and other gigabit and higher capable access networks, a maximum of 35% of premises passed by a network should be served by equipment from an HRV.
- For 5G networks, a maximum of 35% of expected network traffic volume on any particular network passing through HRV equipment, and at most 35% of base stations nationally on any network, should be served by equipment from an HRV.
- For both FTTP and 5G networks, a maximum of 35% of all the network elements of a particular equipment class in any particular network should be provided by an HRV.
- in respect of 4G and legacy fixed access (i.e. copper) networks, an expectation that at least two vendors will be used in the access network, with a roughly 50/50 split between vendors in that case (though no hard cap, like the 35% for 5G and FTTP, applies); and
- a cap on the number of HRVs with any amount of equipment in any given network to one HRV
- The TSRs also provide that even where HRV equipment is not, in principle, barred, operators should only use an HRV if that HRV has in place a specific risk mitigation strategy, designed and overseen by the NCSC.
Beyond the specific measures noted above, the NCSC notes that for certain network functions, a case-by-case analysis is required to determine what controls are placed on HRVs.
How will the TSRs be enforced?
The TSRs are formal guidance, setting out the NCSC’s expectations regarding network security. Compliance with the TSRs is currently voluntary, and so their application and implementation is reliant on their adoption by telecoms operators.
At the time of the introduction of the TSRs, the government had, though, proposed to give legislative backing to the TSRs through a comprehensive new telecoms security regime overseen by it and Ofcom. This regime will be introduced “at the earliest opportunity.” 2 Until then, the government notes that the UK “expects UK telecoms operators to give due consideration to [the] advice, as they do with all their interactions with the NCSC.”
As at the date of this updated blog post, the TSRs have still not been introduced as legislation. However, the government has reinforced its intention to legislate at the earliest opportunity stating that a new Telecoms Security Bill will be put in place powers to implement the TSR framework.3
As such, though at present there is no strong enforcement backing of the TSRs, there is a clear and serious expectation from the government that telecoms operators comply with the guidance from the TSRs.
Application to the involvement of Huawei in the UK’s 5G network rollout
When first introduced in January 2020, the NCSC concluded in the TSRs that Huawei was an HRV based on the non-exhaustive the criteria set out in the TSRs. This included that:
- Huawei has a large UK market share, and is subject to Chinese law and so it could be ordered to act in a way harmful to the UK;
- China has a history of carrying out cyberattacks;
- Huawei’s cyber security and engineering quality is low; and
- several of Huawei’s entities were on the US Entity List, and it as not clear whether those entities would remain on the
As noted above, the TSRs provide that operators should only use a HRV if that HRV has in place a specific risk mitigation strategy, designed and overseen by the NCSC. In January 2020, there was a risk mitigation strategy in place in relation to Huawei and the NCSC determined that to mitigate the risks involved in using Huawei in UK networks, and operators whose “Huawei estates” exceed the recommended level for an HRV (as set out in the TSRs), were advised to take steps to reduce those amounts to the recommended level as soon as practical with an expectation that such reduction take place within 3 years.
Since January 2020, the NCSC has considered the fact that the entities on the US Entity List have remained on that list for 12 months, and the restrictions and sanctions placed on Huawei by the US are ever tightening in a way to impact the future availability of Huawei equipment to the UK, making oversight of such equipment more challenging and potentially impossible. The NSCS considers that this significantly increases the risk involved in the use of Huawei equipment in UK telecommunications networks.
The NCSC’s assessment of a material increase in risk in the use of Huawei equipment in UK telecommunications networks has led to the following consequences:
- the NCSC has revised its “risk mitigation strategy” for the use of Huawei equipment in UK telecommunications networks, and stated that any risk mitigation strategy can only apply to:
- all existing equipment (including 5G equipment);
- any remaining pre-sanction equipment (including pre-sanction 5G equipment); and
- fibre access equipment during a transition period, which is to be subject to consultation with FTTP operators;
- Given a HRV can only be used where a mitigation plan is in place in respect of that HRV, any Huawei equipment that is affected by US sanctions cannot be used in UK telecommunications networks at all; and
- operators should not procure any 5G Huawei equipment affected by the most recent US sanctions.
National Security Council bans on the use of Huawei equipment in 5G networks
As a result of the NCSC’s revised guidelines, the UK’s National Security Council on 14 July 2020, has separately made several decisions to the effect that:
- buying new Huawei 5G equipment will be prohibited after 31 December 2020;
- all Huawei equipment is to be removed from the UK’s 5G networks by the end of 2027; and
- the existing ban on Huawei for sensitive and critical parts of the UK’s 5G network will remain in place.4
Practical application of the TSRs
There are several practical issues arising from the TSRs:
- Uncertainty as to the practical application of TSRs.It is unclear how certain matters in the TSRs will practically be implemented, including how the 35% threshold will apply in practice in respect of FTTP and 5G networks. For example, what exactly counts as a “network element” of a particular class? We would expect any legislation to clarify this.
- Dealing with mergers and After the rules become law, it is unclear how they would be applied when changes happen in the industry. If, for example, an HRV and another vendor merge, does that mean that all legacy equipment from either of them falls into the HRV category? Or all such equipment sold after the merger? What if an HRV hives-off a part of its business, meaning that operators will suddenly find that, in breach of the rules, they have equipment from two HRVs in their network? Again, we hope that the legislation will clarify these issues.
- Compensation?It is unclear whether any compensation will be offered to cover the costs of removing HRV equipment. The most likely scenario is that no such compensation will be offered. In that case, foreign investors in UK network companies should consider whether they would have a claim under any relevant Investment Protection Treaties. This could be an option if the government changes the law to require significant new expenditure that applies disproportionately to foreign-owned networks.
- Application to telco operators. It is unclear what the NCSC’s advice is on removing the presence of other HRVs (other than Huawei) from telecoms networks where that presence would fall foul of the new TSR thresholds and we expect a consultation specifically on the removal of FTTP equipment.