All posts in “Uk Government”

UK to toughen telecoms security controls to shrink 5G risks

Amid ongoing concerns about security risks posed by the involvement of Chinese tech giant Huawei in 5G supply, the UK government has published a review of the telecoms supply chain which concludes that policy and regulation in enforcing network security needs to be significantly strengthened to address concerns.

However it continues to hold off on setting an official position on whether to allow or ban Huawei from supplying the country’s next-gen networks — as the US has been pressurizing its allies to do.

Giving a statement in parliament this afternoon, the UK’s digital minister, Jeremy Wright, said the government is releasing the conclusions of the report ahead of a decision on Huawei so that domestic carriers can prepare for the tougher standards it plans to bring in to apply to all their vendors.

“The Review has concluded that the current level of protections put in place by industry are unlikely to be adequate to address the identified security risks and deliver the desired security outcomes,” he said. “So, to improve cyber security risk management, policy and enforcement, the Review recommends the establishment of a new security framework for the UK telecoms sector. This will be a much stronger, security based regime than at present.

“The foundation for the framework will be a new set of Telecoms Security Requirements for telecoms operators, overseen by Ofcom and government. These new requirements will be underpinned by a robust legislative framework.”

Wright said the government plans to legislate “at the earliest opportunity” — to provide the regulator with stronger powers to to enforcement the incoming Telecoms Security Requirements, and to establish “stronger national security backstop powers for government”.

The review suggests the government is considering introducing GDPR-level penalties for carriers that fail to meet the strict security standards it will also be bringing in.

“Until the new legislation is put in place, government and Ofcom will work with all telecoms operators to secure adherence to the new requirements on a voluntary basis,” Wright told parliament today. “Operators will be required to subject vendors to rigorous oversight through procurement and contract management. This will involve operators requiring all their vendors to adhere to the new Telecoms Security Requirements.

“They will also be required to work closely with vendors, supported by government, to ensure effective assurance testing for equipment, systems and software, and to support ongoing verification arrangements.”

The review also calls for competition and diversity within the supply chain — which Wright said will be needed “if we are to drive innovation and reduce the risk of dependency on individual suppliers”.

The government will therefore pursue “a targeted diversification strategy, supporting the growth of new players in the parts of the network that pose security and resilience risks”, he added.

“We will promote policies that support new entrants and the growth of smaller firms,” he also said, sounding a call for security startups to turn their attention to 5G.

Government would “seek to attract trusted and established firms to the UK market”, he added — dubbing a “vibrant and diverse telecoms market” as both good for consumers and for national security.

“The Review I commissioned was not designed to deal only with one specific company and its conclusions have much wider application. And the need for them is urgent. The first 5G consumer services are launching this year,” he said. “The equally vital diversification of the supply chain will take time. We should get on with it.”

Last week two UK parliamentary committees espoused a view that there’s no technical reason to ban Huawei from all 5G supply — while recognizing there may be other considerations, such as geopolitics and human rights, which impact the decision.

The Intelligence and Security committee also warned that what it dubbed the “unnecessarily protracted” delay in the government taking a decision about 5G suppliers is damaging UK relations abroad.

Despite being urged to get a move on on the specific issue of Huawei, it’s notable that the government continues to hold off. Albeit, a new prime minister will be appointed later this week, after votes of Conservative Party members are counted — which may be contributing to ongoing delay.

“Since the US government’s announcement [on May 16, adding Huawei and 68 affiliates to its Entity List on national security grounds] we have sought clarity on the extent and implications but the position is not yet entirely clear. Until it is, we have concluded it would be wrong to make specific decisions in relation to Huawei,” Wright said, adding: “We will do so as soon as possible.”

In a press release accompanying the telecoms supply chain review the government said decisions would be taken about high risk vendors “in due course”.

Earlier this year a leak from a meeting of the UK’s National Security Council suggested the government was preparing to give an amber light to Huawei to continue supplying 5G — though limiting its participation to non-core portions of networks.

The Science & Technology committee also recommended the government mandate the exclusion of Huawei from the core of 5G networks.

Wright’s statement appears to hint that that position remains the preferred one — baring a radical change of policy under a new PM — with, in addition to talk of encouraging diversity in the supply chain, the minister also flagging the review’s conclusion that there should be “additional controls on the presence in the supply chain of certain types of vendor which pose significantly greater security and resilience risks to UK telecoms”.

Additional controls doesn’t sound like a euphemism for an out-and-out ban.

In a statement responding to the review, Huawei expressed confidence that it’s days of supplying UK 5G are not drawing to a close — writing:

The UK Government’s Supply Chain Review gives us confidence that we can continue to work with network operators to rollout 5G across the UK. The findings are an important step forward for 5G and full fibre broadband networks in the UK and we welcome the Government’s commitment to “a diverse telecoms supply chain” and “new legislation to enforce stronger security requirements in the telecoms sector”. After 18 years of operating in the UK, we remain committed to supporting BT, EE, Vodafone and other partners build secure, reliable networks.”

The evidence shows excluding Huawei would cost the UK economy £7 billion and result in more expensive 5G networks, raising prices for anyone with a mobile device. On Friday, Parliament’s Intelligence & Security Committee said limiting the market to just two telecoms suppliers would reduce competition, resulting in less resilience and lower security standards. They also confirmed that Huawei’s inclusion in British networks would not affect the channels used for intelligence sharing.

A spokesman for the company told us it already supplies non-core elements of UK carriers’ EE and Vodafone’s network, adding that it’s viewing Wright’s statement as an endorsement of that status quo.

While the official position remains to be confirmed all the signals suggest the UK’s 5G security strategy will be tied to tightened regulation and oversight, rather than follow a US path of seeking to shut Chinese tech giants out.

Commenting on the government’s telecoms supply chain review in a statement, Ciaran Martin, CEO of the UK’s National Cyber Security Centre, said: “As the UK’s lead technical authority, we have worked closely with DCMS [the Department for Digital, Culture, Media and Sport] on this review, providing comprehensive analysis and cyber security advice. These new measures represent a tougher security regime for our telecoms infrastructure, and will lead to higher standards, much greater resilience and incentives for the sector to take cyber security seriously.

“This is a significant overhaul of how we do telecoms security, helping to keep the UK the safest place to live and work online by ensuring that cyber security is embedded into future networks from inception.”

Although tougher security standards for telecoms combined with updated regulations that bake in major fines for failure suggest Huawei will have its work cut out not to be excluded by the market, as carriers will be careful about vendors as they work to shrink their risk.

Earlier this year a report by an oversight body that evaluates its approach to security was withering — finding “serious and systematic defects” in its software engineering and cyber security competence.

Huawei 5G indecision is hitting UK’s relations abroad, warns committee

The UK’s next prime minister must prioritize a decision on whether or not to allow Chinese tech giant Huawei to be a 5G supplier, a parliamentary committee has urged — warning that the country’s international relations are being “seriously damaged” by ongoing delay.

In a statement on 5G suppliers, the Intelligence and Security committee (ISC) writes that the government must take a decision “as a matter of urgency”.

Earlier this week another parliamentary committee, which focuses on science and technology, concluded there is no technical reason to exclude Huawei as a 5G supplier, despite security concerns attached to the company’s ties to the Chinese state, though it did recommend it be excluded from core 5G supply.

The delay in the UK settling on a 5G supplier policy can be linked not only to the complexities of trying to weight and balance security considers with geopolitical pressures but also ongoing turmoil in domestic politics, following the 2016 EU referendum Brexit vote — which continues to suck most of the political oxygen out of Westminster. (And will very soon have despatched two UK prime ministers in three years.)

Outgoing PM Theresa May, whose successor is due to be selected by a vote by Conservative Party members next week, appeared to be leaning towards giving Huawei an amber light earlier this year.

A leak to the press from a National Security Council meeting back in April suggested Huawei would be allowed to provide kit but only for non-core parts of 5G networks — raising questions about how core and non-core are delineated in the next-gen networks.

The leak led to the sacking by May of the then defense minister, Gavin Williamson, after an investigation into confidential information being passed to the media in which she said she had lost confidence in him.

The publication of a government Telecoms Supply Chain Review, whose terms of reference were published last fall, has also been delayed — leading to carriers to press the government for greater clarity last month.

But with May herself now on the way out, having agreed to step down as PM back in May, the decision on 5G supply is on hold.

It will be down to either Boris Johnson or Jeremy Hunt, the two remaining contenders to take over as PM, to choose whether or not to let the Chinese tech giant supply UK 5G networks.

Whichever of the men wins the vote they will arrive in the top job needing to give their full attention to finding a way out of the Brexit morass — with a mere three months til a October 31 Brexit extension deadline looming. So there’s a risk 5G may not seem as urgent an issue and a decision again be kicked back.

In its statement on 5G supply, the ISC backs the view expressed by the public-facing branch of the UK’s intelligence service that network security is not dependent on any one supplier being excluded from building it — writing that: “The National Cyber Security Centre… has been clear that the security of the UK’s telecommunications network is not about one company or one country: the ‘flag of origin’ for telecommunications equipment is not the critical element in determining cyber security.”

The committee argues that “some parts of the network will require greater protection” — writing that “critical functions cannot be put at risk” but also that there are “less sensitive functions where more risk can be carried”, albeit without specifying what those latter functions might be.

“It is this distinction — between the sensitivity of the functions — that must determine security, rather than where in the network those functions are located: notions of ‘core’ and ‘edge’ ate therefore misleading in this context,” it adds. “We should therefore be thinking of different levels of security, rather than a one size fits all approach, within a network that has been built to be resilient to attack, such that no single action could disable the system.”

The committee’s statement also backs the view that the best way to achieve network resilience is to support diversity in the supply chain — i.e. by supporting more competition.

But at the same time it emphasizes that the 5G supply decision “cannot be viewed solely through a technical lens — because it is not simply a decision about telecommunications equipment”.

“This is a geostrategic decision, the ramifications of which may be felt for decades to come,” it warns, raising concerns about the perceptions of UK intelligence sharing partners by emphasizing the need for those allies to trust the decisions the government makes.

It also couches a UK decision to give Huawei access a risk by suggesting it could be viewed externally as an endorsement of the company, thereby encouraging other countries to follow suit — without paying the full (and it asserts vitally) necessary attention to the security piece.

“The UK is a world leader in cyber security: therefore if we allow Huawei into our 5G network we must be careful that that is not seen as an endorsement for others to follow. Such a decision can only happen where the network itself will be constructed securely and with stringent regulation,” it writes.

The committee’s statement goes on to raise as a matter of concern the UK’s general reliance on China as a technology supplier.

“One of the lessons the UK Government must learn from the current debate over 5G is that with the technology sector now monopolised by such a few key players, we are over-reliant on Chinese technology — and we are not alone in this, this is a global issue. We need to consider how we can create greater diversity in the market. This will require us to take a long term view — but we need to start now,” it warns.

It ends by reiterating that the debate about 5G supply has been “unnecessarily protracted” — pressing the next UK prime minister to get on and take a decision “so that all concerned can move forward”.

UK law review eyes abusive trends like deepfaked porn and cyber flashing

The UK government has announced the next phase of a review of the law around the making and sharing of non-consensual intimate images, with ministers saying they want to ensure it keeps pace with evolving digital tech trends.

The review is being initiated in response to concerns that abusive and offensive communications are on the rise, as a result of it becoming easier to create and distribute sexual images of people online without their permission.

Among the issues the Law Commission will consider are so-called ‘revenge porn’, where intimate images of a person are shared without their consent; deepfaked porn, which refers to superimposing a real photograph of a person’s face onto a pornographic image or video without their consent; and cyber flashing, the unpleasant practice of sending unsolicited sexual images to a person’s phone by exploiting technologies such as Bluetooth that allow for proximity-based file sharing.

On the latter practice, the screengrab below is of one of two unsolicited messages I received as pop-ups on my phone in the space of a few seconds while waiting at a UK airport gate — and before I’d had a chance to locate the iOS master setting that actually nixes Bluetooth.

On iOS, even without accepting the AirDrop the cyberflasher is still able to send an unsolicited placeholder image with their request.

Safe to say, this example is at the tamer end of what tends to be involved. More often it’s actual dick pics fired at people’s phones, not a parrot-friendly silicone substitute…

cyber flashing

A patchwork of UK laws already covers at least some of the offensive and abusive communications in question, such as the offence of voyeurism under the Sexual Offences Act 2003, which criminalises certain non-consensual photography taken for sexual gratification — and carries a two-year maximum prison sentence (with the possibility that a perpetrator may be required to be listed on the sexual offender register); while revenge porn was made a criminal offence under section 33 of the Criminal Justice and Courts Act 2015.

But the government says that while it feels the law in this area is “robust”, it is keen not to be seen as complacent — hence continuing to keep it under review.

It will also hold a public consultation to help assess whether changes in the law are required.

The Law Commission published Phase 1 of their review of Abusive and Offensive Online Communications on November 1 last year — a scoping report setting out the current criminal law which applies.

The second phase, announced today, will consider the non-consensual taking and sharing of intimate images specifically — and look at possible recommendations for reform. Though it will not report for two years so any changes to the law are likely to take several years to make it onto the statute books.

Among specific issues the Law Commission will consider is whether anonymity should automatically be granted to victims of revenge porn.

Commenting in a statement, justice minister Paul Maynard said: “No one should have to suffer the immense distress of having intimate images taken or shared without consent. We are acting to make sure our laws keep pace with emerging technology and trends in these disturbing and humiliating crimes.”

Maynard added that the review builds on recent changes to toughen UK laws around revenge porn and to outlaw ‘upskirting’ in English law; aka the degrading practice of taking intimate photographs of others without consent.

“Too many young people are falling victim to co-ordinated abuse online or the trauma of having their private sexual images shared. That’s not the online world I want our children to grow up in,” added the secretary of state for digital issues, Jeremy Wright, in another supporting statement.

“We’ve already set out world-leading plans to put a new duty of care on online platforms towards their users, overseen by an independent regulator with teeth. This Review will ensure that the current law is fit for purpose as we deliver our commitment to make the UK the safest place to be online.”

The Law Commission review will begin on July 1, 2019 and report back to the government in summer 2021.

Terms of Reference will be published on the Law Commission’s website in due course.

UK carriers warn over ongoing Huawei 5G uncertainty: Report

UK mobile network operators have drafted a letter urging the government for greater clarity on Chinese tech giant Huawei’s involvement in domestic 5G infrastructure, according to a report by the BBC.

Huawei remains under a cloud of security suspicion attached to its relationship with the Chinese state, which in 2017 passed legislation that gives authorities more direct control over the operations of internet-based companies — leading to fears it could repurpose network kit supplied by Huawei as a conduit for foreign spying.

Back in April, press reports emerged suggesting the UK government was intending to give Huawei a limited role in 5G infrastructure — for ‘non-core’ parts of the network — despite multiple cabinet ministers apparently raising concerns about any role for the Chinese tech giant. The UK government did not officially confirmed the leaks.

In the draft letter UK operators warn the government that the country risks losing its position as a world leader in mobile connectivity as a result of ongoing uncertainty attached to Huawei and 5G, per the BBC’s report.

The broadcaster says it has reviewed the letter which is intended to be sent to cabinet secretary, Mark Sedwill, as soon as this week.

It also reports that operators have asked for an urgent meeting between industry leaders and the government to discuss their concerns — saying they can can’t invest in 5G infrastructure while uncertainty over the use of Chinese tech persists.

The BBC’s report does not name which operators have put their names to the draft letter.

We reached out to the major UK mobile network operators for comment.

A spokesperson for BT, which owns the mobile brand EE — and was the first to go live with a consumer 5G service in the UK last month — told us: “We are in regular contact with UK government around this topic, and continue to discuss the impact of possible regulation on UK telecoms networks.”

A Vodafone spokesperson added: “We do not comment on draft documents. We would ask for any decision regarding the future use of Huawei equipment in the UK not to be rushed but based on all the facts.”

At the time of writing Orange, O2 and 3 had not yet responded to requests for comment.

A report in March by a UK oversight body set up to evaluate Huawei’s security was damning — describing “serious and systematic defects” in its software engineering and cyber security competence, although it resisted calls for an outright ban.

Reached for comment on the draft letter, a spokesperson for the Department for Digital, Culture, Media and Sport told us it has not yet received it — but sent the following statement:

The security and resilience of the UK’s telecoms networks is of paramount importance. We have robust procedures in place to manage risks to national security and are committed to the highest possible security standards.

The Telecoms Supply Chain Review will be announced in due course. We have been clear throughout the process that all network operators will need to comply with the Government’s decision.

The spokesperson added that the government has undertaken extensive consultation with industry as part of its review of the 5G supply chain, in addition to regular engagement, and emphasized that it is for network operators to confirm the details of any steps they have taken in upgrading their networks.

Carriers are aware they must comply with the government’s final decision, the spokesperson added.

At the pan-Europe level, the European Commission has urged member states to step up individual and collective attention on network security to mitigate potential risks as they roll out 5G networks.

The Commission remains very unlikely to try to impose 5G supplier bans itself. Its interventions so far call for EU member states to pay close attention to network security, and help each other by sharing more information, with the Commission also warning of the risk of fragmentation to its flagship “digital single market” project if national governments impose individual bans on Chinese kit vendors.

UK Internet attitudes study finds public support for social media regulation

UK telecoms regulator Ofcom has published a new joint report and stat-fest on Internet attitudes and usage with the national data protection watchdog, the ICO — a quantitative study to be published annually which they’re calling the Online Nation report.

The new structure hints at the direction of travel for online regulation in the UK, following government plans set out in a recent whitepaper to regulate online harms — which will include creating a new independent regulator to ensure Internet companies meet their responsibilities.

Ministers are still consulting on whether this should be a new or existing body. But both Ofcom and the ICO have relevant interests in being involved — so it’s fitting to see joint working going into this report.

As most of us spend more time than ever online, we’re increasingly worried about harmful content — and also more likely to come across it,” writes Yih-Choung Teh, group director of strategy and research at Ofcom, in a statement. “ For most people, those risks are still outweighed by the huge benefits of the internet. And while most internet users favour tighter rules in some areas, particularly social media, people also recognise the importance of protecting free speech – which is one of the internet’s great strengths.”

While it’s not yet clear exactly what form the UK’s future Internet regulator will take, the Online Nation report does suggest a flavor of the planned focus.

The report, which is based on responses from 2,057 adult internet users and 1,001 children, flags as a top-line finding that eight in ten adults have concerns about some aspects of Internet use and further suggests the proportion of adults concerned about going online has risen from 59% to 78% since last year (though its small-print notes this result is not directly comparable with last year’s survey so “can only be interpreted as indicative”).

Another stat being highlighted is a finding that 61% of adults have had a potentially harmful online experience in the past year — rising to 79% among children (aged 12-15). (Albeit with the caveat that it’s using a “broad definition”, with experiences ranging from “mildly annoying to seriously harmful”.)

While a full 83% of polled adults are found to have expressed concern about harms to children on the Internet.

The UK government, meanwhile, has made child safety a key focus of its push to regulate online content.

At the same time the report found that most adults (59%) agree that the benefits of going online outweigh the risks, and 61% of children think the internet makes their lives better.

While Ofcom’s annual Internet reports of years past often had a fairly dry flavor, tracking usage such as time spent online on different devices and particular services, the new joint study puts more of an emphasis on attitudes to online content and how people understand (or don’t) the commercial workings of the Internet — delving into more nuanced questions, such as by asking web users whether they understand how and why their data is collected, and assessing their understanding of ad-supported business models, as well as registering relative trust in different online services’ use of personal data.

The report also assesses public support for Internet regulation — and on that front it suggests there is increased support for greater online regulation in a range of areas. Specifically it found that most adults favour tighter rules for social media sites (70% in 2019, up from 52% in 2018); video-sharing sites (64% v. 46%); and instant-messaging services (61% v. 40%).

At the same time it says nearly half (47%) of adult internet users expressed recognition that websites and social media platforms play an important role in supporting free speech — “even where some people might find content offensive”. So the subtext there is that future regulation of harmful Internet content needs to strike the right balance.

On managing personal data, the report found most Internet users (74%) say they feel confident to do so. A majority of UK adults are also happy for companies to collect their information under certain conditions — vs over a third (39%) saying they are not happy for companies to collect and use their personal information.

Those conditions look to be key, though — with only small minorities reporting they are happy for their personal data to be used to program content (17% of adult Internet users were okay with this); and to target them with ads (only 18% didn’t mind that, so most do).

Trust in online services to protect user data and/or use it responsibly also varies significantly, per the report findings — with social media definitely in the dog house on that front. “Among ten leading UK sites, trust among users of these services was highest for BBC News (67%) and Amazon (66%) and lowest for Facebook (31%) and YouTube (34%),” the report notes.

Despite low privacy trust in tech giants, more than a third (35%) of the total time spent online in the UK is on sites owned by Google or Facebook.

“This reflects the primacy of video and social media in people’s online consumption, particularly on smartphones,” it writes. “Around nine in ten internet users visit YouTube every month, spending an average of 27 minutes a day on the site. A similar number visit Facebook, spending an average of 23 minutes a day there.”

And while the report records relatively high awareness that personal data collection is happening online — finding that 71% of adults were aware of cookies being used to collect information through websites they’re browsing (falling to 60% for social media accounts; and 49% for smartphone apps) — most (69%) also reported accepting terms and conditions without reading them.

So, again, mainstream public awareness of how personal data is being used looks questionable.

The report also flags limited understanding of how search engines are funded — despite the bald fact that around half of UK online advertising revenue comes from paid-for search (£6.7BN in 2018). “[T]here is still widespread lack of understanding about how search engines are funded,” it writes. “Fifty-four per cent of adult internet users correctly said they are funded by advertising, with 18% giving an incorrect response and 28% saying they did not know.”

The report also highlights the disconnect between time spent online and digital ad revenue generated by the adtech duopoly, Google and Facebook — which it says together generated an estimated 61% of UK online advertising revenue in 2018; a share of revenue that it points out is far greater than time spent (35%) on their websites (even as those websites are the most visited by adults in the UK).

As in previous years of Ofcom ‘state of the Internet’ reports, the Online Nation study also found that Facebook use still dominates the social media landscape in the UK.

Though use of the eponymous service continues falling (from 95% of social media users in 2016 to 88% in 2018). Even as use of other Facebook-owned social properties — Instagram and WhatsApp — grew over the same period.


The report also recorded an increase in people using multiple social services — with just a fifth of social media users only using Facebook in 2018 (down from 32% in 2018). Though as noted above, Facebook still dominates time spent, clocking up way more time (~23 minutes) per user per day on average vs Snapchat (around nine minutes) and Instagram (five minutes).  

A large majority (74%) of Facebook users also still check it at least once a day.

Overall, the report found that Brits have a varied online diet, though — on average spending a minute or more each day on 15 different internet sites and apps. Even as online ad revenues are not so equally distributed.

“Sites and apps that were not among the top 40 sites ranked by time spent accounted for 43% of average daily consumption,” the report notes. “Just over one in five internet users said that in the past month they had used ‘lots of websites or apps they’ve used before’ while a third (36%) said they ‘only use websites or apps they’ve used before’.”

There is also variety when it comes to how Brits search for stuff online, and while 97% of adult internet users still use search engines the report found a variety of other services also in the mix. 

It found that nearly two-thirds of people (65%) go more often to specific sites to find specific things, such as a news site for news stories or a video site for videos; while 30% of respondents said they used to have a search engine as their home page but no longer do.

The high proportion of searches being registered on shopping websites/apps (61%) also looks interesting in light of the 2017 EU antitrust ruling against Google Shopping — when the European Commission found Google had demoted rival shopping comparison services in search results, while promoting its own, thereby undermining rivals’ ability to gain traffic and brand recognition.

The report findings also indicate that use of voice-based search interfaces remains relatively low in the UK, with just 10% using voice assistants on a mobile phone — and even smaller percentages tapping into smart speakers (7%) or voice AIs on connected TVs (3%).

In another finding, the report suggests recommendation engines play a major part in content discovery.

“Recommendation engines are a key way for platforms to help people discover content and products — 70% of viewing to YouTube is reportedly driven by recommendations, while 35% of what consumers purchase on Amazon comes from recommendations,” it writes. 

In overarching aggregate, the report says UK adults now spend the equivalent of almost 50 days online per year.

While, each week, 44 million Brits use the internet to send or receive email; 29 million send instant messages; 30 million bank or pay bills via the internet; 27 million shop online; and 21 million people download information for work, school or university.

The full report can be found here.