Jimmy Jones: UK Telecom Security Bills Drive Global Regulation and Network Security Standards Beyond 5G

The telecoms security bills raised for consideration in the UK parliament recently are really interesting, but not just for the reason that has been the focus of the major news agencies.

The Huawei situation has been front and center of all reporting and as a reflection of the current global political environment, that is only right. The rift between China and the West has probably never been larger and Huawei have found themselves front and center.

However, uncertainty surrounding Huawei has been present for some time now, so it’s possible that mobile operators have already planned for life without them.

Reading deeper, there are other areas of interest. The law is establishing the operator’s security responsibility beyond the exclusion of certain vendors, to network security as a whole, as well as forcing change in the telecom supply chain, driving vendor diversity to combat the security vulnerabilities of monoculture or duo culture networks.

But these goals are not unique to the UK.

The Prague conference and a 5G agreement on security

In 2019, 32 countries attended a 5G conference in Prague and announced an agreement in principle on security. Shortly after the event, the European Union released the EU Toolkit, which was supported by a document from ENISA, the Europen Union’s Cyber security advisers. The Cybersecurity and Infrastructure Security Agency in the U.S. released a strategy document of late that mirrored much of the EU’s.

Within both papers, and others globally, we see reference to greater regulatory powers, and in the last week the UK has been the first to move enshrining these powers in law, while at the same time setting the bar for fines, £100,000 a day or 10% of revenue.

Even with Brexit looming, the UK will still closely align with the EU and are part of the wider “5 eyes partnership”, so it’s reasonable to expect the fines and laws to be similar and follow closely in these associated states. Additionally, the Trump administration’s “Clean Network” initiative again mirrors the Prague agreement and this is publicly supported by a number of their allies who were not present in Prague – for example, Latin America.

Therefore, while this legislation is specific to the UK, it indicates the direction of regulation well beyond those shores.

OFCOM, the UK regulator, will be given new powers to direct telecoms providers to take interim steps to address security gaps, but this is not restricted to standalone 5G networks. The legislation states who has access to sensitive parts of the core network, how security audits should be conducted, and how customer data must be protected. This will force operators to improve their security protection for all generations, rather than just 5G networks.

The regulation was released in two parts, the second concentrating on diversifying the network beyond the one or two vendors available today. This again mirrors the stated goals of the CISA though they take it further, offering prizes and R&D incentives for innovation to secure the supply chain.

Taking on the issue of security directly by excluding Chinese vendors

This addresses a big issue directed at policy makers when they excluded Chinese vendors. The argument is that exclusion slows the rollout of 5G, so the country will either fail to take full advantage of the move to industry 4.0, or make it more expensive, or slower for consumers to benefit from the new technology.

However, we do also see the opposite effect. The Huawei strategy has accelerated Open RAN, with Dell’Oro Group predicting huge rises in investment accelerated by the decision to limit Chinese equipment, reducing competition. The UK’s decision to create the SmartRAN Open Network Innovation Centre and the support of the NeutrORAN project with NEC should also create commercial opportunity and the incentives to drive innovation and new market entrants.

Ensuring the security for this abundance of new suppliers could be a problem. The program will have its hands full keeping track and vetting these new, likely small and niche vendors. I have no doubt the labs will be able to assure the quality of solutions. But many could be functions never seen before, driven by 5G applications we haven’t thought of yet. So complexity and volumes will put the pressure on labs to certify the solutions quickly enough for the market.

New applications develop much faster than established technologies, so they need updating more often. Interactions and behavior between applications may change as new ideas are developed. So just getting new vendors securely to market is ambitious. Yet this is just the start – you must secure the long-term maintenance and management processes. This means software patching, upgrades, configuration, expansion projects and the many other day-to-day activities a network needs.

It’s a massive task, but the UK government has to be commended for starting to address an issue that will affect every country and every individual for the rest of our lives.

Jimmy Jones has worked in telecoms for such major operators as WorldCom (now Verizon) and vendors including Nortel, Genband and Positive Technologies (since 2017). From legacy telecom exchanges to integration and protocol interoperability testing, Jones changed in 2005 to SIP and Session Boarder Controller equipment. He’s been on the front lines from Tier 3 and 4 wholesale carriers to Tier 1 operators using SIP for peering and access as part of the move to IMS and LTE networks. This piece is exclusive to Broadband Breakfast.

Broadband Breakfast accepts commentary from informed observers of the broadband scene. Please send pieces to commentary@breakfast.media. The views expressed in Expert Opinion pieces do not necessarily reflect the views of Broadband Breakfast and Breakfast Media LLC.