Dear Colleagues,
UK Telecommunications
Today, both I and the Foreign Secretary made statements on UK Telecommunications relating to the security and resilience of the country's crucial digital infrastructure. I am aware of the Parliamentary interest in this issue, and wanted to provide information to colleagues.
The Government recognises the importance of having world-class gigabit connectivity, using both 5G and full fibre networks. The networks will empower rural businesses and create new possibilities for our transport and manufacturing industries. That is why the Government is committed to securing nationwide coverage of gigabit capable broadband by 2025, and has committed £5 billion of new public funding to remove barriers to fast deployment.
It is essential that these networks are both secure and resilient, and this is why the Government has undertaken a comprehensive review of the supply arrangements in our 5G and full fibre networks.
The Telecoms Supply Chain Review, which was laid before Parliament in July, underlined the importance of our critical digital infrastructure.
The Review sought to address three key questions:
- How should we incentivise telecoms operators to improve security standards and practices in 5G and full fibre networks?
- How should we address the security challenges posed by high risk vendors?
- How can we create sustainable diversity in the telecoms supply chain?
The Review made the case for establishing a robust new security framework for the telecoms sector, as well as the need for the Government to support the sector’s diversification. The Government is now in the process of taking forward these measures.
Today the final conclusions of the Telecoms Supply Chain Review on high risk vendors were announced in both Houses.
The Review considered a range of objective factors in order to assess a vendor as high risk, including the strategic position of the vendor in the UK and other networks, the quality and transparency of the vendor’s engineering practices, the technical resilience of vendors, and the relationship between the vendor and the vendor’s domestic state apparatus.
The Review concluded that it will be necessary and proportionate to put in place additional controls on vendors that pose a higher risk to our 5G and full fibre networks. For 5G and full fibre networks, high risk vendors should be excluded from those parts of the network that are critical to security. The presence of high risk vendors should also be limited in other parts of those networks, including exclusions on sensitive geographic locations. Based on the current position of the UK market, high risk vendors should be:
- Excluded from all safety related and safety critical networks in Critical National Infrastructure;
- Excluded from security critical network functions;
- Limited to a minority presence in other network functions to a cap of up to 35%; and
- Subjected to tight restrictions, including exclusions from sensitive geographic locations.
These new controls will be contingent on an NCSC-approved risk mitigation strategy also being in place.
Over time, our intention is for the market share of high risk vendors to reduce as market diversification takes place.
Following the Review the Government continues to consider both Huawei and ZTE to be high risk vendors.
The Government has also asked the National Cyber Security Centre to consider issuing guidance to UK Telecoms Operators on the use of high risk vendors in the UK’s telecommunications networks and that guidance was published today.
The National Cyber Security Centre has also published a summary of their security analysis that supported the Review.
www.ncsc.gov.uk/report/summary-of-NCSC-security-analysis-for-the-UK-telecoms-sector
The Government intends to legislate at the earliest opportunity to introduce a comprehensive telecoms security and resilience regime, that will be overseen by the regulator Ofcom as well as the Government.
Regards,
Rt Hon Baroness Morgan of Cotes
Secretary of State for Digital, Culture, Media and Sport
