New proposed legislation could see telecoms firms handed fines of up to £100,000 a day for failing to strengthen the security of their entire UK networks.
The Telecommunications (Security) Bill would give the UK government new powers to “boost the security standards of the UK’s telecoms networks and remove the threat of high-risk vendors (HRVs)”, the government said.
The proposed bill would strengthen the legal duties of UK telecoms providers and require them to take “appropriate action to bring in minimum security standards for their networks and services and to limit the damage of any breaches”.
It would also allow the government to issue directions to telecoms providers to manage the risk of HRVs in their supply chains, such as Huawei.
“While they are already banned from the most sensitive ‘core’ parts of the network, the bill will allow the government to impose controls on telecoms providers’ use of goods, services or facilities supplied by high-risk vendors,” the government said.
The requirements, which will be set out in secondary legislation, are likely to include rules on “reducing the risks that equipment supplied by third parties in the telecoms supply chain is unreliable or could be used to facilitate cyber attacks”, the government said.
It could also include further rules on which third-party vendors have access to the “core” network, how security audits are carried out, and protecting customer data.
Firms that fall short of new duties could face fines of up to 10% of turnover or, in the case of a continuing contravention, £100,000 per day, while Ofcom will be given greater powers to monitor and assess providers.
Oliver Dowden, digital secretary, said: “We are investing billions to roll out 5G and gigabit broadband across the country, but the benefits can only be realised if we have full confidence in the security and resilience of our networks.
“This groundbreaking bill will give the UK one of the toughest telecoms security regimes in the world and allow us to take the action necessary to protect our networks.”
Ian Levy, technical director of the National Cyber Security Centre, said “national networks and operators need to know what is expected of them".
He added: “We are committed to driving up standards, and this bill imposes new telecoms security requirements which will help operators make better risk-management decisions.”
Huawei vice-president Victor Zhang, told the BBC: “This decision is politically motivated and not based on a fair evaluation of the risks.
“It does not serve anyone's best interests as it would move Britain into the digital slow lane and put at risk the government's levelling-up agenda.”
The move will further restrict the use of vendors such as Huawei, which has been considered a security risk over its links to the Chinese state.
In January, the government issued restrictions which excluded HRVs from “sensitive core parts of 5G and gigabit-capable networks” as well as a 35% cap on HRV access to non-sensitive parts of the network.
Six months later, the UK government banned the procurement of any new 5G equipment from Huawei from 31 December 2020.
Operators were also told to remove Huawei equipment from their 5G networks by 2027, which the government estimated could delay 5G rollout by up to three years and cost up to £2bn.
☛ Want to stay up to date with the news? Sign up to our daily bulletin.