Telecoms Supply Chain Review

Telecoms Supply Chain Review

The Government has announced new plans to safeguard the UK’s telecoms network and pave way for fast, reliable and secure 5G and full fibre connectivity. This clarification is critical for a number of UK infrastructure providers who sit on the Broadband Stakeholder Group, and to inform decisions in relation to Huawei in the rollout of the 5G and full fibre, gigabit-capable networks.

The Prime Minister chaired a meeting of the National Security Council (NSC), where it was agreed that the National Cyber Security Centre (NCSC) should issue guidance to UK Telecoms operators on high risk vendors following the conclusions of the Telecoms Supply Chain Review (TSR). The National Cyber Security Centre (NCSC) has confirmed that how the UK constructs its 5G and full fibre public telecoms network has nothing to do with how the UK shares classified data, and the UK’s technical security experts have agreed that the new controls on high risk vendors (e.g. Huawei) are completely consistent with the UK’s security needs.

In summary:

  • High risk vendors must be excluded from sensitive ‘core’ parts of 5G and gigabit-capable networks
  • 35 per cent cap on high risk vendor access to non-sensitive parts of the network
  • NCSC guidance to operators on implementing decision with legislation introduced at the earliest opportunity

This advice is that high risk vendors should be:

  • Excluded from all safety related and safety critical networks in Critical National Infrastructure
  • Excluded from security critical ‘core’ functions, the sensitive part of the network
  • Excluded from sensitive geographic locations, such as nuclear sites and military bases
  • Limited to a minority presence of no more than 35 per cent in the periphery of the network, known as the access network, which connect devices and equipment to mobile phone masts

As part of the Review, which began in July 2019, the NCSC carried out a technical and security analysis that offers the most detailed assessment in the world of what is needed to protect the UK’s digital infrastructure. The guidance sets out the practical steps operators should take to implement the government’s decision on how to best mitigate the risks of high risk vendors in 5G and gigabit-capable networks.

1. Government will establish a Telecoms Security Regime (TSR) via legislation. This will be one of the most robust in the world and which will raise security standards across the all the UK’s telecoms operators and the vendors that supply to them. The NCSC’s new TSR’s guidance will provide clarity to industry on what is expected in terms of network security. The TSRs will raise the height of the security bar and set out tough new standards to be met in the design and operation of the UK’s telecoms networks. The TSR will be overseen by Ofcom and government.

2. There is a need for the UK to improve diversity in the supply of equipment to telecoms networks. Currently in the UK there is a choice of only 3 major players to supply key parts of the telecoms networks which has implications for the security and resilience of the networks, as well as for future innovation and market capacity. The government is developing a strategy to help diversify the supply chain to address this by:

  • seeking to attract established vendors who are not present in the UK
  • supporting the emergence of new, disruptive entrants to the supply chain
  • promoting the adoption of open, interoperable standards that will reduce barriers to entry

3. In order to assess a vendor as high risk, a set of objective factors are being taken into account. These include:

  • the strategic position or scale of the vendor in the UK network
  • the strategic position or scale of the vendor in other telecoms networks, particularly if the vendor is new to the UK market
  • the quality and transparency of the vendor’s engineering practices and cyber security controls
  • the vendor’s resilience both in technical terms and in relation to the continuity of supply to UK operators
  • the vendor’s domestic security laws in the jurisdiction where the vendor is based and the risk of external direction that conflicts with UK law
  • the relationship between the vendor and the vendor’s domestic state apparatus
  • the availability of offensive cyber capability by that domestic state apparatus, or associated actors, that might be used to target UK interests

Commenting on behalf of the wider telecoms sector on the conclusion of the Government’s Telecoms Supply Chain Review, Julian David CEO of techUK said:

“The deployment of 5G and full-fibre broadband will underpin the economic transformation of the UK over the next decade. Today’s decision sets out how 5G can be rolled out quickly and securely. It gives businesses deploying that infrastructure more of the clarity that they need to get on and build their networks. To drive innovation in the long-term we need a diverse and competitive supply chain and we encourage Government to lower barriers to entry for new vendors. techUK, with members from across the telecoms sector, will continue to work with DCMS and Ofcom to determine how the security and resilience needed for tomorrow’s telecoms networks is assured.”