The UK government laid a new law in Parliament on 24 November 2020 (the “Telecommunications (Security) Bill”, or the “Bill”)[1] . The purported aim is to protect the UK from hostile cyber activity, including state entities and organised crime.

Following the first (formal) reading in the House of Commons, the second reading of the Bill is scheduled for 30 November 2020. The Bill does not envisage a long period for its implementation, however, certain provisions will only come into effect two months after it is passed; whereas effectiveness of the others will depend on the issuance, by the Secretary of State, of the relevant regulations. However, given the substantial changes that the new regime brings, impacted players will have to start preparing for the new regime as soon as possible.

The UK Digital Secretary set the scene that “This ground-breaking bill will give the UK one of the toughest telecoms security regimes in the world […].”[2] It fundamentally shifts from the present de facto self-regulatory regime.

The extent and gravity of the new security obligations and the potential sanctions combined with recent changes to the merger regime in communications mean that multi-national communications players need to carefully assess the impact on their existing operation and any potential market entry. These rules represent one of the biggest changes to the operating environment for communications providers in the UK in recent time.

The Bill covers the following main categories of new obligations and powers for the Government and Ofcom:

1. Strengthened legal duties on telecoms providers to increase the security of networks & services in the UK subject to severe penalties (up to 10 per cent of turnover or (in the case of a continuing contravention) £100,000 a day);
2. New responsibilities on Ofcom to monitor telecoms providers’ security, conduct investigations and enforce the new security obligations;
3. New powers for the Government (Secretary of State) to remove high risk vendors to protect national security.

The UK government is looking to public telecom providers to take on more responsibility and strengthen the way in which they design, build and manage the networks and service on which the UK economy and society heavily relies.

The Bill amends the UK Communications Act 2003 and introduces new obligations, which are addressed not only to the telecommunications infrastructure providers (i.e. providers of public electronic communications networks), but also to providers of publicly available electronic communications services (both categories further referred to as ‘public communication providers’ or ‘providers’), which cover a broad range of providers with the exception, at least at present, of those offering Number Independent Interpersonal Communications Services (see, our earlier Article on the EECC implementation).[3]

The new framework comprises three layers: 1. overarching security duties, 2. specific security requirements laid down by secondary legislation, and 3. codes of practice.

1. General Security Duties

Currently, telecoms providers are responsible by law for setting their own security standards in their networks. This, in the UK government’s view,[4] does not create sufficient incentives to apply security best practices where there are no clear commercial incentives for the investment to be made. To change this dynamic, the Bill will introduce more prescriptive security requirements.

At the first layer, the Bill introduces strengthened overarching security duties. The providers will be obliged to introduce minimum security standards for their networks and services and take both pro-active and re-active measures. On the proactive side, these measures will be aiming at identifying the risks of security compromises occurring, reducing such risks and putting in place plans for when such compromises happen. On the reactive side, the providers will be required to take action after a security compromise has occurred, to prevent adverse effects (on the network or service) and take steps to remedy or mitigate such effects. These are the general security duties, whereas the secondary legislation and the code of practice will provide for specific obligations.

Security compromises are defined broadly and include:

1. anything that compromises the availability, performance or functionality of a network or service;
2. any unauthorised access to, interference with or exploitation of networks or services;
3. anything that compromises the confidentiality of signals or data;
4. anything that causes signals or data to be lost, unintentionally altered or altered without permission of the telecoms provider;
5. anything occurring in connection with a network or service that causes a compromise on another network or service that belongs to another provider.

2. Secondary legislation

The government is expected to make secondary legislation to detail specific security requirements that public communications providers must meet. This will most likely include ‘security by design’ targeted actions to:

1. securely design, build and maintain sensitive equipment in the core networks, which controls how they are managed;
2. reduce the risks that equipment supplied by third parties in the supply chain is unreliable or could be used to facilitate cyber attacks;
3. carefully control who has permission to access sensitive core network equipment on site as well as the software that manages networks;
4. make sure they are able to carry out security audits and put governance in place to understand the risks facing their public networks and services; and
5. keep networks running for customers and free from interference, while ensuring confidential customer data is protected when it is sent between different parts of the network.[5]

3. Codes of practice

The Government will issue, following consultations with Ofcom and the industry, codes of practice providing guidance on the specific security measures to be taken by the providers.

Due to the objective differences in the size and nature of these providers (despite all of them falling in the broad category of public communications providers), the Government intends to define three tiers of telecoms providers:

1. ‘Tier 1’ largest national-scale providers, whose availability and security is critical to people and businesses across the UK: the code of practice will apply to them fully; they will also be subject to intensive Ofcom monitoring and oversight;
2. ‘Tier 2’ medium-sized providers: they are expected to have more time to implement the security measures set out in the code; they will be subject to some Ofcom oversight and monitoring;
3. The smallest (‘Tier 3’) providers, including small businesses and micro enterprises: they will need to comply with the law; the government does not intend to apply the code of practice to them, but they may be subject to some limited Ofcom oversight.[6]

Information and reporting obligations

Apart from the substantive security obligations, providers will have information obligations vis-à-vis their users as well as information sharing and reporting obligations to Ofcom.

They will be obliged to inform users of any significant risk of a security compromise and advise them on technical measures that users might reasonably take to prevent its occurrence, or remedy or mitigate its adverse effects.

Providers will be under a general duty to inform Ofcom of any security compromise that has a significant effect on the operation of their networks or services or are likely to (re)occur. In such situations, Ofcom may direct the provider to inform the specific users or, if in the public interest, the entire public. Ofcom may also decide to provide such information to users or the public directly which may cause huge reputational issues.

The Bill introduces hefty penalties for non-compliance with the new security duties and requirements placed on public telecommunication providers.

For breach of most of the substantive obligations (including the obligations related to high risk vendors and the associated directions to providers – see below) Ofcom or the Secretary of State, respectively, can impose a penalty of:

1. up to ten per cent of turnover,[7] or
2. in the case of a continuing breach, up to £100,000 per day.

Penalties for breach of other obligations (e.g., duty to explain failure to follow the code of practice or non-compliance with Ofcom’s instructions in pursuit of their investigative and information gathering powers or non-disclosure requirements) are capped at:

1. £10 million or,
2. in the case of a continuous breach, at £50,000 per day.

Ofcom’s decisions in relation to the above penalties are subject to a statutory right of appeal to the Competition Appeal Tribunal.

The public communications providers may face additional risk of damage claims and litigation as the Bill makes clear that the substantive security obligations are considered as a legal duty towards the users. The Bill expressly acknowledges that affected persons may sue the providers for any loss or damage sustained as a result of a breach of their security obligations.

The Bill, on the other hand, attempts to strike the balance between the security threats and (not unlimited) resources available to the providers in the rapidly changing technological environment with new cyber threats occurring on almost daily basis.

Despite breaching certain security obligations, the providers can still rely on a defence provided for by the Bill, if they can show that they took all reasonable steps and exercised all due diligence to avoid contravening the particular duty. The other condition is that Ofcom must provide their consent to such actions. Ofcom may decide to subject its consent to conditions relating to the conduct of the proceedings. This puts Ofcom in a very delicate position regarding such claims.

According to the Bill, the telecoms regulator, Ofcom, will become instrumental in ensuring that the overall security threshold and resilience of networks and services is set at much higher level. The Bill gives Ofcom stronger powers to monitor and assess providers’ security, alongside enforcing compliance with the law, secondary legislation and the code of conduct.

Ofcom will be entitled to require providers to complete system tests or carry out other technical testing in relation to the network or service that risks causing a security threat and observe such tests. Ofcom may enter provider’s premises to conduct on site surveys of the equipment; interview staff, ask for information or request documents including on software elements of networks and services.

In cases of non-compliance, Ofcom will be able to issue a ‘notification of contravention’ to providers setting out the non-compliance, and any enforcement action that will be taken. Providers will, for example, have to provide reasoned explanation in case Ofcom suspects that they failed to follow the code of practice.

The Bill also provides Ofcom with a new power to direct providers to take interim steps to address security gaps during the enforcement process. In cases of non-compliance, including where a provider has not complied with a notification of contravention, Ofcom can issue financial penalties.

The Bill will give the Government (i.e. the Secretary of State) the power to:

1. designate vendors in the telecoms supply chain posing high risks to national security (‘designated vendors’), and
2. direct telecoms providers to control their use of goods, services or facilities from such vendors (‘designated vendor directions’).

This is effectively the next step cementing the earlier government’s decision to ban Huawei’s technology from the UK 5G networks.

In January 2020, following a detailed technical and security analysis provided by the National Cyber Security Centre, the UK government announced that new restrictions would be placed on the use of high risk vendors in the UK’s 5G and full-fibre networks. In the meantime, the US Department of Commerce announced new sanctions against Huawei through changes to their foreign direct product rules. This was followed by the announcement made by the UK Digital Secretary of State in July 2020 that UK telecoms providers should cease to procure any new 5G equipment from Huawei after 31 December 2020 and remove all Huawei equipment from 5G networks by the end of 2027. The government further advised full fibre telecoms providers to transition away from purchasing Huawei full fibre equipment affected by the US sanctions.

The direction addressed to the public communications providers may include:

• prohibitions or restrictions on the use of goods, services or facilities supplied by a designated vendor and the manner, in which they can be used;
• prohibitions on the installation of such goods or take up of such services or facilities;
• requirements for removing, disabling or modifying such goods or facilities; and
• requirements about modifying such services.

Enforcement

The Bill gives the Secretary of State powers to enforce compliance with designated vendor directions. The Secretary of State may require providers to: a) take immediate actions to comply with the requirements as specified in its decision and remedy the consequences of the contravention; and b) pay a penalty.

Ofcom may be tasked by the Secretary of State with gathering information including conducting on-site inspections and interviewing people. The Secretary of State can also require that the public communications provider prepare and submit to it (or Ofcom) a plan setting out the implementation steps.

A provider may seek judicial review of decisions made by the Secretary of State when exercising functions in relation to designated vendor notices and designated vendor directions, including in relation to any enforcement decisions.

Derogations and non-disclosure obligations

Due to the national security interests, there are important derogations granted to the Secretary of State. The designation may be issued without (i) stating the reason or providing justification or (ii) consultation with the providers or the intended designated vendor, to the extent to which it would be contrary to the interests of national security.

In addition, the Government may require a public communications provider, which has been given a designated vendor direction, not to disclose the existence of such direction, or its part, including other information regarding its enforcement without its permission (subject to a fine of up to £10 million (or £50,000 per day), see earlier on fines).

This may create challenges for the public communications providers in terms of their contractual arrangements with designated vendors (e.g. standard termination provisions usually allow the buyer to terminate purchase of goods or services to comply with instructions of competent authorities. Such provisions may however envisage that the other party be provided with some evidence). This may require revisiting key supplier contracts (for both hardware and software) in order to re-assess the existing provisions and whether they are sufficient in light of these new requirements. For any new contracts, appropriate provisions will have to be drafted and negotiated.

[1] Telecommunications (Security) Bill, https://publications.parliament.uk/pa/bills/cbill/58-01/0216/200216.pdf.

[2] https://www.cityam.com/telecoms-providers-must-beef-up-their-cybersecurity-for-the-5g-age/

[3] The term ‘public communications provider’ is defined in section 151 of the Communications Act 2003, and covers both the providers of PECN and PECS, as well as persons who make available facilities that are associated facilities by reference to a PECN or PECS. ‘Associated facilities’ is defined in section 32(3) of the Communications Act 2003. With the transposition of the European Code on Electronic Communications into UK national law, this will now cover the vast majority of ECS providers with the exception of NI-ICS, which are not going to be regulated in the UK for the time being.

[4] The Telecoms Supply Chain Review concluded by the government in July last year, available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/819469/CCS001_CCS0719559014-001_Telecoms_Security_and_Resilience_Accessible.pdf.

[5] UK Government press release: New telecoms security law to protect UK from cyber threats, available at https://www.gov.uk/government/news/new-telecoms-security-law-to-protect-uk-from-cyber-threats

[6] UK Government, Factsheet 2: New Telecoms Security Framework, available at https://www.gov.uk/government/publications/telecommunications-security-bill-factsheets/factsheet-2-new-telecoms-security-framework

[7] The Bill introduces its own definition of a ‘relevant turnover’.