The recent attack on the Oil facilities in Saudi Arabia is a stark reminder that modern warfare is often about knocking out Critical National Infrastructure in order to wreck the economy of your enemy. In an increasingly digital world, some of the most Critical National Infrastructure in the UK, is our Telecom networks. Without access to the internet, and the ability to communicate, the economy would quickly be severely damaged.
In July 2019, Jeremy Wright, Secretary of State for DCMS (Digital, Culture, Media and Sport – interesting combination?) presented the UK Telecoms Supply Chain Review Report to Parliament. It quickly became known as the ‘Huawei’ report. The press was pre-occupied with the US decision to ban the use of the Chinese company Huawei’s equipment and whether the UK would follow suit?
The Huawei discussion might have been a trigger for this review, but its’ relevance is much wider than just Huawei. Over the next few years we will have a range of new Telecoms networks ,with 5G mobile networks being deployed ,and a range of new competitors building ‘full fibre’ networks.
It is therefore timely to ask whether our security regime is strong enough to protect Critical National Infrastructure? The UK National Cyber Security Centre (NCSC) has attributed a range of cyber-attacks in the last 2 years to teams from Russia, China, North Korea and Iran. The threat is clearly very real.
The main recommendations of the report revolve around a new Security Framework with 3 key components:-
- New Telecoms Security Requirements
OFCOM will consult with industry with a view to creating a new set of standards that raise the bar on Telecoms network security.
- Establishing an enhanced legislative framework for security in telecoms
New legislation will give OFCOM powers to enforce the new security requirements.
- Managing the security risks posed by vendors
The 3 lines of defence will be:-
- Network operators must have rigorous oversight of vendors to ensure they follow the new Technical Security Requirements
- Network operators must work closely with vendors on assurance testing of equipment, systems and software
- Additional controls must be imposed on certain types of vendors who pose significantly greater security risks. They don’t mention Huawei here, but I think we all get the picture.
SO, WHAT DOES THIS MEAN FOR THE TELECOMS INDUSTRY? A PERSONAL VIEW
The new Technical Security Requirements need to be strong enough to meet the perceived threat. However, if the costs of implementing these new rules are too high then I doubt whether smaller companies will be able to afford it. We need to be careful we do not create an oligopoly and restrict competition.