Consultation outcome

Call for Information on the uses and security of Private Telecommunications Networks within the UK: government response

Updated 6 December 2023

Executive summary

1. Private telecoms networks are bespoke telecoms networks, procured by businesses to serve their particular connectivity needs. As organisations increasingly use private telecoms networks, it is important that the government understands the implications of this growth. If businesses providing services critical to the UK become increasingly reliant on private telecoms networks, damage or disruption to those networks could have significant impacts on the users of critical services.

2. As such, the government issued a call for information on the uses and security of private telecoms networks. The government received 41 responses from a range of individuals and organisations, including providers and customers of private telecoms networks, trade associations, cyber security firms and standards bodies.

3. From the responses we received, the government has identified the following themes:

  • Private telecoms networks are being used in a range of critical sectors (c.90% of providers stated they had customers in these sectors) and where private telecoms networks are deployed, they are typically being used for business-critical functions.

  • Of the customers and providers who responded to the call for information, security was a key feature and rationale for the procurement of private telecoms networks.

  • Whilst respondents predominantly believed the market for private telecoms networks is developing a way which promotes good security and resilience and that standards were broadly supporting the deployment of secure and resilient private telecoms networks, there was appetite for a range of future interventions. This included developing guidance, education initiatives and ensuring adequate funding for innovation projects on the security and resilience of private telecoms networks.

  • Respondents noted positive and negative effects of future technological developments (e.g. with AI) on private telecoms networks and the need to monitor the impacts of technology as it evolves. This covered the development of existing technology such as ‘on device’ security protocols and the emergence of future technology such as quantum decryption.

  • Most respondents stated that private and public networks should continue to be treated differently due to their distinct security characteristics. A small number of respondents called for further work in creating a clearer legal definition for private telecoms networks.

  • Respondents outlined a range of security risks that could be prioritised when developing policies regarding private telecoms networks. These included risks relating to cyber and physical security of private telecoms networks and overall security of the supply chain. Respondents also stated that device security, data infrastructure and work to specifically address the risks to critical sectors could also be prioritised.

4. The government is grateful for the contributions made and will use the information supplied, alongside wider evidence and research, to determine whether government intervention is necessary to protect private telecoms networks.

Introduction

Background 

1. A private telecoms network is an electronic communications network that is not provided wholly or mainly for the purpose of making electronic communications services available to members of the public[footnote 1]. For the purpose of the call for information and this government response, private telecoms networks can be broadly understood as referring to bespoke telecoms networks that are only available for a closed user group. This is as opposed to public telecoms networks that provide a standard network or service to individuals or businesses, relying on common infrastructure.

2. As set out in the government’s Wireless Infrastructure Strategy, the growth of private telecoms networks and 5G has the potential to enable mission-critical services and underpin technologies that can bring significant economic benefits to the UK. Private telecoms networks can be better suited than public networks at meeting specific industry requirements. They can offer improved reliability, security, and higher bandwidth and could be used to boost productivity in, for example, smart factories. Private telecoms networks are not ‘new’ and have been in use for some time. However, the advent of new communications technologies, equipment and spectrum availability has driven the growth in the market for private telecoms networks - including within critical sectors[footnote 2].

3. It is important to understand the implications of the increasing use of private telecoms networks. Telecommunications networks are a key enabler of economic growth, underpinning the digital economy and civil society, and they are a high priority target for a range of threat actors. If businesses providing services critical to the UK become increasingly reliant on private telecoms networks, damage or disruption to those networks could have significant impacts on the users of those critical services. Therefore, security risks associated with private telecoms networks must be managed appropriately.

4. On 5 July 2023, the Department for Science, Innovation and Technology (DSIT) published a public call for information on the uses and security of private telecoms networks.  Whilst anyone could respond, we were particularly interested to hear from those involved in the development and provision of private telecoms networks, and the organisations that currently use them, or plan to use them in the future. The call for information lasted for ten weeks, closing on 13 September 2023. DSIT stated [in the call for information] that we will use the information supplied, alongside wider evidence and research, to help determine whether further government intervention is necessary to protect private telecoms networks.

What we asked

5. The call for information focused on four key areas on which we sought further information and insight. Questions were grouped into the following categories:

i) General questions – which were designed to provide DSIT with basic information about respondents to improve DSIT’s understanding of the types of organisations providing and using private telecoms networks.

ii) Questions for private telecoms network providers – which focused on identifying the types and uses of private telecoms networks provided to customers.

iii) Questions for private telecoms network customers – which looked at the sectors customers of private telecoms networks operated in, what they were using private telecoms networks for and customers views on security and resilience.

iv) Policy questions – which focused on the market for private telecoms networks and whether it was developing in a way which encourages good security and resilience outcomes. This included potential actions that industry can take, such as complying with standards, and potential interventions that the government could take to encourage good security and resilience outcomes.

6. The full list of questions in the call for information can be found at Annex A.

Overview of respondents

7. We received a total of 41 responses to the call for information. These included responses submitted via our online survey[footnote 3] and written responses via email. Of the responses received, 95% were submitted on behalf of an organisation and the remaining 5% of responses were submitted by individuals.

8. Of the responses received from those responding on behalf of an organisation:

  • almost three fifths (59%) worked for organisations with over 250 employees, 16% worked for organisations with between 50 and 250 employees, 11% worked for organisations with between 10 and 50 employees and 14% worked for organisations with fewer than 10 employees;
  • almost three fifths (58%) stated that their organisation is a provider (i.e. an organisation responsible for providing private telecoms networks to customers);
  • a little over a fifth (21%) stated that they are a customer (i.e. an organisation procuring and normally financing the development of the network);
  • a sixth of respondents (16%) stated that their organisation is an end user (i.e. those using the connectivity provided by a private telecoms network (for example, the staff within a customer’s organisation)); and
  • a third (34%) stated that they considered their organisation to be something else – including, for example, trade associations, standards bodies, and cyber security firms[footnote 4]

9. The full list of responding organisations to the call for information can be found at Annex B.

Purpose and structure of government response

10. This document summarises the submissions received in response to the call for information. We have chosen to take a thematic approach to analysing the responses to the call for information and, as such, this government response is structured in the following way:

  • The first section contains analysis of the responses to questions about the existing uses of private telecoms networks.

  • The second section contains analysis of responses to questions on the current security and resilience of private telecoms networks.

  • The final section contains analysis of responses to the policy questions in the call for information.

Contact details

11. Further copies of this report and the call for information can be obtained by contacting the DSIT’s Telecoms Security Policy Team at the address below:

Telecoms Security Policy Team
Department for Science, Innovation and Technology
100 Parliament Street
London
SW1A 2BQ

Email: [email protected]

12. Alternative format versions of this publication can be requested from the address above.

13. If you have any complaints or comments about the process, you should contact the Department at the above address.

Thematic Analysis

Current uses of private telecoms networks

14. This section sets out the responses to questions on how private telecoms networks are currently used. The aim of these questions was to build a picture of the private telecoms network market as it exists today, and therefore help government to better understand the impact of government policy on the market.

Provider responses

15. Of the organisations that identified themselves as providers, and answered ‘section 2 – questions for providers’, in the call for information:

  • slightly less than half (45%) stated that they were an organisation operating private telecoms networks for customers;

  • around half (52%) stated that were a designer or developer of private telecoms networks; and

  • more than a quarter (29%) stated that they were vendors (i.e. a provider of goods, services or facilities for use in private telecoms networks)[footnote 5].

16. Amongst those that are primarily providers, more than four fifths (82%) provide 5G private telecoms networks and almost three quarters (71%) provide 4G networks. This suggests that private telecoms networks being deployed are using the latest technology. The majority of respondents (88%) provide private telecoms networks to medium-sized organisations, with 63% of respondents providing networks to large organisations[footnote 6].

What type of connectivity do your networks provide? (N=17)

What type of connectivity do your networks provide? (N=17)
3G 18%
4G 71%
5G 82%
Fixed 29%
Other 35%

17. The intended end users of private telecoms networks varied. However, in nearly all cases (94%), providers stated the intended end users include ‘staff of the customer organisation’. Most respondents also provided networks for use by operational technologies[footnote 7], sensors and monitoring devices, and visitors and small businesses on a site.

Who. or what, is the end user of the connectivity your private telecoms networks provide (N=16)?

Who. or what, is the end user of the connectivity your private telecoms networks provide? (N=16)
Staff of the customer organisation 94%
Operational technologies 75%
Sensors and monitoring devices 75%
Visitors to a site 63%
Small businesses on a site 63%
The public passing though a site 31%
People living nearby 25%
Other 13%

18. Of the providers who responded to questions on critical sectors, 87% stated that they deployed private telecoms networks in critical sectors. The top four sectors that the private telecoms network providers supplied networks in were transport, health, emergency services and government[footnote 8].

Which critical sectors do you supply private telecoms networks in? (N=13)

Which critical sectors do you supply private telecoms networks in? (N=13)
Transport 69%
Health 62%
Emergency Services 54%
Government 54%
Chemicals 31%
Energy 31%
Finance 31%
Civil Nuclear 23%
Defence 23%
Food 23%
Space 23%
Water 23%
Other 15%

19. We asked providers what systems (e.g. automatic locks and smart devices), if any, relied on the networks they deployed to build a picture of the dependencies on private telecoms networks. Respondents gave a range of answers, with only one stating that there would be no knock-on effect to other systems if the private telecoms networks went down. A quarter of respondents were unable to say whether systems were reliant on their networks. This could be due to a lack of knowledge of the clients’ businesses’ reliance on their specific network. Half of responding providers said their customers’ systems were ‘very reliant’ on their networks. The systems mentioned as being reliant on private telecoms networks were:

  • control and monitoring systems for operational technologies, such as industrial robotics, guided vehicles and Internet of Things (IoT) devices;

  • physical security systems (i.e. automatic locks and ID authentication);

  • testing platforms for products and services that are not yet ready for public launch;

  • business site communications, such as at ports; and

  • emergency services communications systems.

20. Providers also stated that their networks relied on a range of systems. The systems most commonly referred to were the power supply systems, fixed line backhaul[footnote 9], base stations, and network operations centres. The majority (81%) of respondents said their networks were ‘very reliant’ on these systems. Most providers also stated that their private telecoms networks interact with public telecoms networks in some way. Only a minority said their networks were totally separate from public telecoms networks.

Customer responses

21. We received a limited number of responses from customer organisations to the questions summarised in this sub-section. All responding customers reported that the delivery of their organisation’s functions would be affected if their networks stopped working. The chart below shows the functions that were identified as potentially being affected, along with the percentages of customers who suggested those functions would be affected within their organisations.

If yes, which of your organisation’s functions would be affected? (N=5)

If yes, which of your organisation’s functions would be affected? (N=5)
Connectivity for staff on site 40%
Connectivity for staff away from site 40%
Internal communication 60%
Security 20%
Back-up systems 20%
Internet of Things (IoT) device control 40%
Sensors and monitoring devices 80%
Operational Technologies 40%

22. All customers who responded said that in the event of network failure, their ability to deliver the organisation’s services would be affected. The majority also identified that network failure could impact the security of the organisation’s internal systems, security of their service, and the security of the sector in which they operate.

23. When asked how they planned to use private telecoms networks in the future, 40% of customers planned to continue using them as they do now, 40% planned to expand their use within their current sector (i.e. connect more sites) and 20% planned to expand to different sectors.

Current security and resilience measures

24. This section sets out the responses to questions about the current security[footnote 10] and resilience[footnote 11] measures relating to private telecoms networks. It describes customers’, and providers’ views on the security and resilience of such networks and includes an analysis of responses to specific questions on private telecoms networks’ supply chains.

Customer responses on security and resilience when procuring private telecoms networks

25. We received a limited number of responses from customer organisations to the questions summarised in this sub-section. When asked to what degree customers’ considered security when procuring their private telecoms networks, 100% of respondents stated that security was prioritised to the highest extent[footnote 12]. Customers stated that the biggest security challenges they faced when procuring private telecoms networks included:

  • ensuring the network is designed to meet the customer’s security needs;
  • engaging with providers of private telecoms networks to meet those needs;
  • ensuring protection against external cyber security threats such as phishing, hacking and malware; and
  • building in the physical security necessary to protect the network.

26. When asked to what degree customers considered resilience when procuring their private telecoms networks, 80% of respondents stated that resilience was prioritised to the highest extent[footnote 13]. Customers stated the primary reason for considering resilience was the critical nature of their services that were reliant on private telecoms networks.

Provider responses on security

27. Given the current uses of private telecoms networks, including in supporting critical sectors, providers stated that they took a range of measures to ensure the security of these networks. These included:

  • using existing standards and guidance as best practice to meet customer security requirements;

  • conducting bespoke customer engagement to address specific challenges for customer organisations;

  • installing access control mechanisms, such as credential authentication; and

  • deploying various additional security mitigations including physical security measures, threat mitigation technologies and security audits.

28. The majority of providers (94%) stated that they considered industry standards and/or guidance in the design, development or deployment of their private telecoms networks to ensure the security of those networks. Some respondents also suggested they followed industry standards in relation to security of their supply chains.

Do you consider industry standards and/or guidance in the design, development or deployment of your networks?

Do you consider industry standards and/or guidance in the design, development or deployment of your networks? (N=16)
Yes 94%
No 0%
Don’t Know 6%

29. Of the providers who stated that they considered standards and guidance, those developed by 3GPP[footnote 14], ETSI[footnote 15], DSIT[footnote 16] and ISO[footnote 17] were most commonly sighted.

Do you consider industry standards and/or guidance from the following organisations? (N=15)
3GPP 87%
ETSI 67%
DSIT 60%
ISO 60%
GSMA 53%
NCSC 47%
O-RAN Alliance 40%
NIST 33%
NPSA 27%
Other 13%

30. Many providers stated that they worked closely with the customer organisations to assess and address their security needs in the networks they supplied. Respondents stated that this close engagement allowed customers to identify if there were any specific technical security requirements that needed to be incorporated into the design and development of their networks to help ensure they were ‘secure by design[footnote 18]. Respondents stated that security requirements outside of traditional standards were, primarily, driven by the preferences of customers, who would assess whether to deploy additional security features based on their budget and risk appetite.

31. The majority of respondents stated that a key security measure of private telecoms networks is the ability to embed ‘access controls’. Some respondents suggested that as private telecoms networks operate for the exclusive use of the organisation, limiting accessibility to networks is, to some extent, an ‘in-built’ security feature of private telecoms networks. Physical access controls are employed by some providers, allowing administrative access only to specific locations such as a data room. Zero trust[footnote 19] architecture is employed by providers to enable customers to securely manage control of network administration.

32. Dependent on the wishes of the client organisation, respondents noted that they can, and do, deploy a variety of threat mitigation techniques such as firewalls. These can be accompanied by security audits to continuously monitor the network and ensure that it is secure.

Provider responses on resilience

33. When asked about the steps providers took to ensure the resilience of their networks, respondents referred to a wide range of measures. These can be grouped into four types of measures:

  • Redundancy measures[footnote 20], such as data duplication and auto-restarting components, which were employed by nearly all respondents. Some respondents employed physically secure sites and geo-redundant location storage.

  • Backup power supplies, including batteries and on-site generators, which were used by nearly half of respondents to provide network resilience. This allows the networks to stay online in the event of a power outage. A third of respondents stated that they used alternative internet and radio connections to maintain connectivity in the event of power loss.

  • Regular monitoring and testing by providers, to identify network weaknesses and vulnerabilities, which they then mitigate where necessary by, for example, introducing updates and patches.

  • Physical measures to ensure resilience of key components were deployed by some network providers. Such measures included use of peripheral fencing and alarm systems.

34. When asked specifically about steps taken to ensure resilience in the event of a power outage, 80% of providers stated that they took measures and 13% of respondents stated they did not. Of those who stated they did have measures in place, these can primarily be grouped into three types:

  • Duplication (or ‘n+1 redundancy’), which involves using back up components to ensure there is a live version to switch to if a part of the network fails. For example, a provider may build two connections linking a customer’s site to a data centre, in case one connection is damaged.

  • Geo-redundant functions, where data was duplicated and stored in more than one physical location. This protects data from being destroyed if a location is physically damaged by events such as floods or fires.

  • Battery backups, which allow a network to stay live in the event of damage to the primary power source. Some respondents used on-site power generators in addition to batteries as a second form of redundancy.

Supply chains

35. The call for information specifically asked about steps taken by providers to manage the security and resilience of the supply chain. The steps respondents suggested they took can be categorised into three types:

  • Assessments of suppliers were conducted by the majority of respondents. This included security vetting. Respondents stated that they considered a range of financial as well as security concerns when conducting these assessments. Providers also stated that they conducted testing on equipment provided by suppliers, including penetration testing[footnote 21].

  • Continuity management system reviews were used by some providers to help ensure there is adequate resilience in the supply chain.

  • Diversification of the supply chain, including deploying a ‘multi-vendor strategy’ to mitigate supply chain issues and to improve the security and resilience of their networks. Such measures were taken by close to half of respondents.

36. When customers were asked about the steps they had taken to manage the security and resilience of the supply chain, they provided responses that can be grouped into the three categories:

  • Monitoring of networks to manage security and resilience risks was conducted by about half of the customers who responded to the call for information.

  • External testing was also undertaken by customer organisations. Specific measures mentioned included Council of Registered Ethical Security Testers(CREST)[footnote 22] security testing accreditation, and independent equipment testing.

  • Industry specific requirements and guidance were used by over three quarters of customer respondents when managing their procurement of private telecoms networks. This included using high risk vendor guidance provided by the National Cyber Security Centre (NCSC), as well as considering public telecoms network supply chain requirements and guidance[footnote 23].

Policy questions

37. This section sets out responses to the ‘policy questions’ in section four of the call for information. These questions were designed to inform the government’s policies regarding the security and resilience of private telecoms networks. Respondents had a wide range of views on the measures that are, or can be, taken by providers, customers and government to help ensure the security of private telecoms networks.

The market drivers of security and resilience

38. When asked if the market was developing in a way that encouraged good security, most respondents (70%) stated that it was. There was a sizeable minority (27%) of respondents who disagreed and stated that they did not believe it was. The trend across all types of organisations was broadly that the market was developing in a way that encourages good security.

39. Of respondents that identified as providers, 86% stated that the market was developing in a way that encouraged good security. This is less pronounced for those who were customers (67%) and ‘other’ organisations (50%). Of those who believed the market was developing in a positive manner the stated reasons were, in summary, that:

  • customers of private telecoms networks procure these networks due to their security features creating market incentives for providers to supply secure and resilient telecoms networks;

  • existing regulations, standards and guidance are sufficient to support the market for private telecoms networks;

  • the technical characteristics of private telecoms networks ‘builds in’ security and resilience; and

  • the emergence of new providers was leading to higher competition in the market, driving up security standards.

40. Half of responding providers suggested customer organisations had a good awareness of the need for secure and resilient telecoms. A number of respondents across all organisations stated that private telecoms networks are often procured precisely because they can be designed to meet the specific security and resilience needs of customers. Given the customer base, some respondents stated that customers’ security expectations create incentives within the market to ensure security and resilience are a priority.

41. In addition, a minority of respondents suggested that the combination of regulations such as the Network and Information Systems Regulations 2018 (for private telecoms networks which support operators of essential services)[footnote 24], and existing guidance provided a strong baseline for security expectations for telecoms providers and customers. About a third of respondents stated that existing standards (such as those from 3GPP and ISO) have resulted in the development of security features to combat new security risks and that these standards are evolving to respond to emerging threats. Respondents suggested that this was driving providers of private telecoms networks to consider security appropriately. As referred to earlier in this response, the vast majority of providers stated that they considered standards when deploying private telecoms networks[footnote 25]. Several respondents suggested there was a case for bolstering compliance checks and testing for meeting the relevant standards.

42. A number of respondents (primarily providers) stated that the nature of private networks and their technical characteristics, such as closed user groups and customised network authentication, result in a certain level of in-built security. These respondents suggested that the physical infrastructure is often hosted entirely on the customer organisation’s property allowing for greater control and security over that infrastructure. A few respondents suggested that private telecoms networks built solely with modern technology have a security advantage over networks using legacy equipment, including public networks using such equipment[footnote 26].

43. Finally, some respondents suggested that new entrants into the market may also lead to ‘cross pollination’ of IT security best practices, resulting in higher security requirements. They suggested that this expansion in the market may cause more competition which should, in theory, lead to better security and resilience features for private telecoms networks.

44. Of the 27% of respondents who did not think the market was developing in a way which prioritised security, the primary reasons can be summarised as:

  • customers being unable to effectively assess and articulate their security needs given the specialised nature of private telecoms networks; and

  • certain providers not having the necessary expertise and experience to support customers.

45. About a third of respondents noted that whilst certain customers of private telecoms networks have high degrees of knowledge, this can vary quite widely, given the highly specialised skillset necessary for procuring and managing private telecoms networks. As the onus is on customers to assess their security needs, it can be difficult for certain customer organisations to do this effectively due to a lack of security expertise and knowledge. Some respondents suggested that, as the market for private telecoms networks grows, this is likely to be exacerbated. A few respondents suggested that as private telecoms networks are not subject to the Telecommunications (Security) Act 2021 and associated regulations, this may lead to organisations prioritising the cost of a system over necessary security features - a potential ‘market failure’. One respondent suggested that the immaturity of the market also reduces opportunities for customers to make informed comparisons between provider organisations.

46. Finally, given the growth of suppliers in the market, due to, for example, the virtualised nature of the 5G architecture, some respondents stated that there is a risk that newer providers do not appropriately understand and support customer security needs. This was most strongly emphasised by customer organisations in critical sectors.

The impact of new technological developments

47. When asked how new technological developments would affect the security and resilience of private telecoms networks, respondents suggested a number of potential positive and negative effects. Across responses, providers were generally more optimistic than customers about the effects of technology. Respondents mentioned the following developments as helping to drive improvements in security and resilience:

  • traditional security technology advancements such as in the network architecture, radio equipment as well as ‘on device’ security protocols; and

  • emerging technologies (e.g. quantum computing and new forms of AI) that could be deployed in fields such as encryption. Some respondents suggested that the increased use of Network Slicing, where a self-contained and secured layer within the public network is dedicated for the use of a single organisation, would have positive effects as they would be subject to existing security requirements on public telecoms networks.

48. Respondents were clear that new technological developments may also have adverse effects on the security and resilience of private telecoms networks. The developments mentioned as potentially having negative effects on security and resilience included:

  • emerging technologies which may result in new threats to private telecoms networks, as well as new vulnerabilities within such networks if not properly managed. The progression of quantum computing, AI, Open RAN[footnote 27] and the increased interconnectedness of private telecoms networks through application programming interfaces[footnote 28] were sighted as developments to consider.

  • device/end-point security, which was a specific area of concern for customer and ‘other’ organisations. As IoT devices are used to enable new services, they can also harbour new vulnerabilities and offer vectors for attack.

49. Respondents also noted that in order for customers and providers to ensure security enhancements are delivered and upgraded over time, organisations will need to be keep aware of security risks (including threats and vulnerabilities) that could emerge from technological developments.

The role of government

50. There was no clear consensus on how government could best support the security and resilience of private telecoms networks. Whilst a minority of providers stated a preference for no additional government intervention, most respondents suggested a range of legislative and non-legislative options. These included:

  • incentivising innovation through pro-market drivers such as tax incentives;

  • closing the skills gap for cybersecurity professionals and supporting education initiatives in the market;

  • further industry and international engagement to collaborate on standards and threats to private telecoms networks;

  • additional guidance, standards, certification and validation for private telecoms networks; and

  • specific regulations for the security and resilience of private telecoms networks.

51. As the market for private telecoms networks grows, many respondents across organisations were keen to emphasise that any future government intervention should not stymie this growth. They emphasised how private telecoms networks could have a transformative impact on the efficiency of certain sectors and provide productivity and economic gains for the UK. Ensuring that any government intervention was proportionate and innovation friendly was a key theme amongst respondents. This included pro-market drivers such as ensuring that adequate spectrum[footnote 29] is available for private telecoms networks. Respondents suggested that government should provide adequate research and development funding to ensure that security and resilience is continually tested. In addition, respondents were keen for other financial incentives such as tax breaks to be used to reward or foster a good security culture.

52. As seen in paragraph 42, some respondents noted that whilst customers and providers were security focused, there is inconsistency in the levels of security knowledge across the market. Approximately a third of respondents highlighted that government should help to ensure there are ‘informed buyers and providers’ of private telecoms networks. Respondents stated this could take the form of:

  • closing the ‘skills gap’ for cyber security in telecoms, including investment in upskilling security professions to ensure that customer and provider organisations can tackle future threats;

  • better signposting and public awareness of existing courses and guidance for customers and providers. This will be critical for SMEs as barriers to entry continue to fall for the private telecoms market; and

  • further industry engagement, including the creation of/continued support for working groups on private telecoms networks for customers and providers of private telecoms networks.

53. Over half of respondents, but in particular providers, were keen to emphasise that government should continue to engage with the telecoms industry and international partners, including standards bodies and other governments across the world, to ensure that security best practice is shared and to collectively address emerging threats and challenges. This would also support the development of a common approach for the security and resilience of private telecoms internationally. Specifically, a few respondents mentioned work on ensuring harmonisation on security standards.

54. Respondents’ views on the extent of government guidance varied. Whilst respondents recognise that it is a commercial decision of an organisation to balance the economic and security features of a network, respondents stated there is likely a case for ‘educating’ buyers within the market to ensure that they are aware of the security risks relating to private telecoms networks. There were a number of respondents, in particular customers and ‘other’ organisations, who stated that government should provide bespoke guidance to customers of private telecoms networks to assist in procuring secure and resilient networks. Customers in critical sectors and those who are SMEs were highlighted as potential beneficiaries of future guidance. Of respondents who welcomed additional guidance, areas that were highlighted included, but were not limited to, the specification, procurement, operation and maintenance of private telecoms networks Other respondents stated that risk criteria, or a framework, which would allow operators and customers to assess the level of risk that their networks face, would be helpful. One respondent suggested that guidance could be sector specific. Other respondents stated that guidance could emphasise the importance of employee upskilling. More generally, respondents stated that, given the changing nature of the threat landscape, any guidance must be reviewed regularly.

55. When asked whether existing telecoms industry and cyber security standards support the deployment of secure and resilient private telecoms networks, 38% stated they did ‘a lot’, 51% suggested they did ‘somewhat’, and 11% suggested they did ‘a little’.  All providers and customer organisations responded ‘somewhat’ or ‘a lot’ and responses were split broadly equally between ‘somewhat and ‘a lot’ for both types of organisations[footnote 30].

56. Some respondents stated a preference for specific security standards for private telecoms networks. As standards are voluntary, and with SME employees within the market more likely to lack cyber skills and knowledge, a minority of respondents suggested some form of certification of providers of private telecoms networks would be helpful. They suggested that this could be accompanied by potential third-party assessments to ensure that standards were being followed by providers of private telecoms networks and to allow customers to easily identify ‘secure’ suppliers of private telecoms networks.

57. A few respondents (primarily providers) believed that the combination of market driven factors, the technical characteristics of these networks and existing regulations and guidance has successfully kept private telecoms networks secure and resilient. These respondents stated that, whilst government should continue to assess the risks in private telecoms networks, the market has thus far successfully self-regulated, and it should continue to be allowed to do so.

58. A minority of respondents from across all types of organisations stated a preference for a more interventionist approach from government. These respondents argued that the levels of private telecoms network security were currently inconsistent and that relying on voluntary measures alone would not ensure consistently high levels of security and resilience. Their suggestions included the introduction of specific regulations for private telecoms networks, aligned to the regulations[footnote 31] and code of practice introduced through the Telecommunications (Security) Act 2021. This would minimise the differences in requirements between public and private telecoms networks. Respondents also suggested that the case for regulation was strongest for critical sectors, where the effect of compromised private telecoms networks could have greatest impact. Timely regulation to combat emerging threats such as those generated by AI and quantum computing decryption were also sighted as potential ways to support the security and resilience of private telecoms networks.

59. It is evident from the responses that the threat landscape is ever changing, and industry will use private telecoms networks in novel ways that are not currently imagined. Given this, respondents were clear that government should continue to monitor and evaluate the effects of future technologies on private telecoms networks.

Differentiating between private and public telecoms networks

60. The call for information defined private telecoms networks as:

‘An electronic communications network which is not provided wholly or mainly for the purpose of making electronic communications services available to members of the public’ and ‘that they should be broadly understood as referring to bespoke telecoms networks that are only available for a closed user group’.

61. When asked if private and public telecoms networks should be treated differently when developing policy to ensure good network security, 75% of respondents stated that they should in comparison to 25% that stated they should not. This trend was seen across all types of responding organisations (i.e. customers and providers)

62. Of the 75% of respondents who stated that private and public networks should be treated differently, the rationale from respondents can broadly be broken down into the following categories:

  • that private telecoms networks have distinct security requirements from public telecoms networks;

  • that it would be disproportionate to extend security regulations to private telecoms networks given the different use-cases and customers for public and private telecoms networks; and

  • that market factors, such as a customer base with a strong interest in security and resilience, incentivises providers of private telecoms networks to ensure networks are secure and resilient.

63. The majority of customers and providers were keen to emphasise that private and public networks are used for very different reasons. They suggested that public networks by their nature have to support a wider range of activities, organisations and individuals than private telecoms networks and consequently have a greater range of vulnerabilities due to, for example, the number of end-points.

64. Given the different operational characteristics and use cases of private and public telecoms networks, just over a third of respondents argued that extending regulations to all private telecoms network would be ‘disproportionate’. Public telecoms networks are subject to certain baseline security and resilience requirements as set out in the Telecommunications (Security) Act 2021 and its associated regulations and code of practice. As private telecoms networks are bespoke and operate for the use of singular organisation as opposed to public telecoms networks which operate for millions of users, they suggested it was less proportionate to regulate private telecoms networks’ security. One respondent posited that there was a theoretical argument that should regulations be extended to private telecoms networks, as defined in the call for information, they should also be extended to all forms of private networks (i.e. private LAN), which seemed unnecessarily burdensome to them.

65. As noted in paragraph 40, some respondents to the call for information stated that private telecoms networks are often procured for their ability to be tailored to customer security needs. For this reason, and because of private telecoms networks’ technical characteristics, some respondents stated that the market is successfully self-regulating to ensure the security and resilience of private telecoms networks. This is in comparison to public telecoms networks where customers get little to no ability to shape how networks are designed and built.

66. In addition, a number of respondents were keen to emphasise that the market is nascent and needs to be allowed to grow. They suggested that ‘onerous’ baseline security requirements may stymie the market and deter future providers and customers from entering the market.

67. Whilst a majority of respondents stated that they should continue to be treated differently, a quarter of respondents drew a different conclusion, for broadly the following reasons:

  • that the security risks for private telecoms networks are similar to public networks and there is considerable overlap between public and private telecoms networks; and

  • that given the risk profile, private telecoms networks in specific sectors such as in critical sectors may warrant public and private telecoms networks to be treated the same with regard to security.

68. Some respondents argued that private and public telecoms networks should be treated the same because they fundamentally have the same security considerations. They stated that government should be encouraging providers and customers of networks to have the highest levels of security possible for the relevant use cases. A few respondents stated that the difference could be eroded as the status quo could drive a two-tier approach to security, leading to lower security requirements for private telecoms networks.

69. There were nuances within this approach where respondents specified that exactly mirroring the approach taken in public networks was unlikely to be proportionate. Some suggested that a more proportionate approach would be to tailor the regulations to where the risk is greatest, including in critical sectors. It should be noted that a few respondents believed that the existing NIS Regulations 2018 covered the security of private telecoms networks sufficiently for Operators of Essential Services.

70. Of the respondents who stated that private telecoms networks should be distinguished from public telecoms networks there were a range of ways stated on how to distinguish the two. These included that:

  • private telecoms networks are those not in scope of the definition for public networks in the Communications Act 2003;

  • private telecoms networks are distinct as they are bespoke and operate for the ‘exclusive use’ of a single customer organisation in comparison to public telecoms networks which operate for many different users; and

  • as organisations have control and ownership of their private telecoms network, they are distinct from users of public telecoms networks who do not own the telecoms network.

71. Respondents who agreed that they should be treated differently mostly agreed with the definition of private telecoms networks as set out in the call for information  in the call for information. This included, at a minimum, that private telecoms networks are generally seen as those not included in the scope of a public network as defined in section 151 of the Communications Act 2003. Some respondents were concerned about the broadness of this definition. Further distinguishing features such as networks that are ‘bespoke’ and ‘operating for exclusive use’ where individuals within the organisation would typically be the only individuals able to access the network were highlighted as a way to distinguish between private and public telecoms networks. Respondents highlighted the use of individually licensed spectrum as a differentiator.

72. Respondents noted that levels of customer organisations’ ownership and control over private telecoms networks differentiate them from public telecoms networks. The owners of private telecoms networks can customise them to meet the specific needs of their organisations. This includes having control over the network architecture, technology choices and security measures.

73. A minority of respondents suggested additional factors that could be used to refine the definition of private telecoms networks including: the use of technology; the nature of the data that is conveyed on the network; the risk that the lack of a networks security and resilience presents; and the purpose of the network. Given the diversity of private telecoms networks, one respondent stated that a ‘black and white’ definition may ultimately not be helpful and that it may be better to characterise networks as being on a spectrum ranging from fully public to fully private.

74. A small number of respondents supported the idea that government and industry collaborate to create a clearer definition of private telecoms networks. Calls for further guidance and refinements to the definition of private telecoms networks were a theme of the responses.

Security risks that should be prioritised

75. When asked which security risks should be prioritised when developing policy, respondents stated a range of potential areas to target[footnote 32].

What are the security risks to private telecoms networks that should be prioritised when developing policy to ensure good network security?

What are the security risks to private telecoms networks that should be prioritised when developing policy to ensure good network security? (N=32)
Supply Chain 44%
Security of devices and products 28%
Physical Security 47%
Cyber threats 63%
Focus on CNI 25%
Lack of skills 19%
Data Infrastructure 34%

76. Cyber threats were the most commonly cited risks as needing to be prioritised during policy development. Distributed Denial of Service (DDoS) attacks, phishing, malware and ransomware were all highlighted as specific risks to manage for private telecoms networks security. These cyber threats could lead to service outages, loss of sensitive information and significant disruption to customer organisations. Respondents did not highlight state or non-state actors as being a greater concern.

77. 1. Some respondents suggested that while physical security is critical to the protection of telecoms networks, it is rarely treated as a priority when compared to cyber security. They suggested that insufficient physical security, like insufficient cyber security, could result in vulnerabilities being exploited resulting in service outages and other forms of disruption.

78. A key concern for respondents across all organisations, but in particular customers, was ensuring the security of the supply chain for private telecoms networks. This included the equipment and management of the network and the use of high-risk vendors. Vulnerabilities in the supply chain can emerge from poor or low-quality products, leading to potential system failure by fault. Alternatively, an attacker could exploit this equipment. In addition, there is the ‘backdoor risk’ in an unsecure supply chain where malicious functionality is added to equipment either intentionally by the vendor or covertly by a hostile actor who has access to the vendor’s hardware or software.

79. Around a third of respondents, predominantly providers, highlighted exploitation of vulnerabilities in data infrastructure as a risk to private telecoms networks. Ensuring networks are “secure by design” was mentioned as being necessary for the protection of data infrastructure. As with the above risks, they suggested that exploitation of vulnerabilities in data infrastructure could lead to service outages, loss of sensitive information and significant disruption to customer organisations.

80. Providers were also concerned about device and product security. As IoT devices are increasingly used to enable new services, they can also harbour new vulnerabilities. The exploitation of security vulnerabilities in devices was cited as a significant risk to private telecoms networks. It was suggested that inadequate end-point security could lead to security breaches and malware infections. Respondents did note that they believed this would be somewhat mitigated by Part One of the Product Security and Telecommunications Infrastructure Act 2022. However, as the Act does not cover commercial devices in commercial settings, which are often deployed by the users of private telecoms networks, the security of endpoints was still a high priority.

81. As evidenced in paragraph 18, private telecoms networks are currently being used in various critical sectors. If businesses providing services critical to the UK become reliant on private telecoms networks, damage or disruption to those networks could have significant impacts on the users of critical services. As such, some respondents suggested that given the disproportionate impact of poor security and resilience on critical sectors, in comparison to non-critical sectors, government should focus any future interventions on private telecoms networks in critical sectors.

82. Respondents from a range of different organisations noted that there are gaps in the knowledge and skillset of those procuring and providing private telecoms networks. As the market expands, these gaps are likely to be exacerbated. With imperfect information, organisations will be unable to make informed decisions, and this could lead to vulnerabilities in the procurement and management of private telecoms networks. As such, some respondents stated that an education-focused approach should be prioritised to ensure there are informed customers and providers in the market.

Conclusion

83. The market for private telecoms networks is predicted to grow significantly over the next few years, and the government is committed to realising the growth and productivity benefits that private telecoms networks can offer. However, the potential economic and social benefits of these networks can only be realised if we have confidence in the security and resilience of the underpinning infrastructure.

84. The responses we received to the questions in the call for information regarding current uses of private telecoms networks suggest that:

  • There is increasing demand for the latest private network technology, with over 80% of network providers who responded to the call for information deploying 5G networks within the UK.

  • Private telecoms networks are used in a range of critical sectors with almost 90% of responding providers having customers in critical sectors.

  • Private telecoms networks are typically being used for business-critical functions when they are deployed. Nearly all customers and providers reported that there would be knock-on effects to their systems if their private telecoms networks went down, and that they were “very reliant” on these networks.

  • Of the customers and providers who responded to the call for information, security was a key feature and rationale for the procurement of private telecoms networks.

  • Organisations take a number of steps to ensure secure and resilient telecoms networks such as implementing existing standards and guidance and engaging with customers to meet bespoke needs.

85. The responses received to the policy questions in the call for information suggest that:

  • Respondents predominantly believed the market for private telecoms networks is developing in a way which promotes good security and resilience. Some respondents argued that this was because of an ‘informed’ customer base, the technical characteristics of private telecoms networks, and the existing regulatory frameworks. However, many respondents believed that more could be done to assist organisations in assessing their security needs.

  • Respondents were keen to emphasise the positive and negative benefits of future technological developments on private telecoms networks. Respondents noted that ‘emerging’ technology such as developments in AI may have both positive and negative effects on the security of private telecoms networks.

  • Whilst respondents broadly stated that telecoms industry and cyber security standards currently do support the deployment of secure and resilient private telecoms networks, there was appetite for a range of future government interventions. Although there was no clear consensus on the role of government, the most prominent suggestions from respondents included supporting industry and international cooperation on private telecoms networks, adequate funding for innovation projects on the security and resilience of private telecoms networks, and the development of guidance and education initiatives.

  • Most respondents stated that private and public networks should continue to be treated differently due to the distinct security characteristics of private and public networks and potential proportionality concerns should the same measures that apply to public networks be extended to private telecoms networks. The bespoke nature of private telecoms networks with closed user groups and the levels of ownership and control were the primary ways in which respondents stated that private and public telecoms networks could be differentiated. There was also some appetite from respondents for there to be further work in creating a clearer legal definition for private telecoms networks.

  • Respondents outlined a range of security risks that could be prioritised when developing policies regarding private telecoms networks. These included risks relating to cyber and physical security of private telecoms networks and the security of the supply chain. Respondents also stated that device security, data infrastructure and work to specifically address the risks to critical sectors could be prioritised.

86. The government is grateful to all those who responded to the call for information. These responses will be used, along with wider research, to help determine whether future government intervention is necessary to protect private telecoms networks in the UK against security threats. Future policy proposals concerning private telecoms networks that could have significant impacts on industry will be subject to consultation.

Annex A – Call for information questions

Section 1: General Questions

This section is designed to provide us with basic information about you and/or your organisation to improve our understanding of the types of organisation providing and using private telecoms networks. It also helps us to put your subsequent answers into context.

1. Are you responding as an individual or on behalf of an organisation?

  • Individual : please provide name
  • On behalf of an organisation

If you are responding as an individual please go directly to section 4 - Policy Questions.

2. What is the name of your organisation?

3. Including yourself, how many people work in your organisation across the UK as a whole?

  • Less than 10 employees
  • 10 to 49 employees
  • 50 - 250 employees
  • More than 250 employees
  • Don’t know

4. What role does your organisation have?

Please tick more than one if appropriate.

  • Customer - organisation procuring and normally financing the development of the network
  • End user - those using the connectivity provided by a private telecoms network (for example, the staff within a customer’s organisation).
  • Provider - organisation responsible for providing private telecoms networks to customers
  • Other

5. If your organisation is a provider, what type of provider is it?

Please tick more than one if appropriate.

  • Designer or developer of private telecoms networks
  • Organisation operating private telecoms networks for customers
  • Systems integrator
  • Vendor (a provider of goods, services or facilities for use in private telecoms networks)
  • Other

If your organisation is a provider of private telecoms networks, please proceed to section 2.

If your organisation is a customer of a private telecoms network provider please go directly to section 3.

Otherwise please please go directly to section 4.

Section 2: Questions for Private Telecoms Network providers

2A) Questions about the Network

This section is designed to be answered by providers of private telecoms networks. This includes designers and developers of private telecoms networks, organisations operating private telecoms networks for customers, systems integrators and vendors that are involved in the provision of networks. The questions focus on identifying the types and uses of private telecoms networks provided to customers.

6. What type of connectivity do your networks provide?

Tick all that apply.

  • 3G
  • 4G
  • 5G
  • LoRa
  • Fixed
  • Other

7. What size are the organisations to which you provide private telecoms networks?

Tick all that apply:

  • Micro (less than 10 employees)
  • Small (10 to 49 employees)
  • Medium (50 - 250 employees)
  • Large (more than 250 employees)
  • Don’t know

8. Do you provide networks in critical sectors?

Critical sectors include chemicals, civil nuclear, defence, emergency services, energy, finance, food, government, health, space, transport and water.

  • Yes
  • No
  • Don’t Know

9. If so, which sectors?

  • Chemicals
  • Civil Nuclear
  • Defence
  • Emergency services
  • Energy
  • Finance
  • Food
  • Government
  • Health
  • Space
  • Transport
  • Water
  • Other

Section 2B: Questions about dependency

10. Who is the end user of the connectivity your networks provide?

Tick all that apply

  • Members of the public passing through a site
  • People living nearby
  • Visitors to the site
  • Members of staff of the customer organisation
  • Small businesses on site
  • Operational technologies
  • Sensors and monitoring devices
  • Other

11. Should your network go down, what would be the type(s) of impacts for the end user?

Tick all that apply:

  • Public Safety
  • Service delivery
  • Security of the sector
  • Security of the service
  • Internal Systems (such as HR)
  • Economic
  • Don’t know
  • Other

Please provide details.

12. What, if any, systems are reliant upon your networks?

If the private network in question were to fail would it have a knock on effect on any other systems. For example, are security systems (for example, automatic locks) or smart devices dependent on a connection to this network.

13. How reliant are those systems on your network?

  • Very reliant
  • Somewhat reliant
  • A little reliant
  • Not reliant
  • Not Applicable
  • Don’t know

14. What systems are your networks reliant upon?

Are there systems which if they were to fail would have a knock on effect on the running of your network? For example, a voice communication network could be reliant on power and would fail in a power outage.

15. How reliant are the networks on those other systems?

  • Very reliant
  • Somewhat reliant
  • A little reliant
  • Not reliant
  • Not Applicable
  • Don’t know

16. Do the networks you provide connect to, or share, resources with the public network?

  • Yes
  • No
  • Don’t know

Please explain.

17. What steps do you take to ensure the security of the networks you provide?

In this context, security can be defined as the protection of a network against external threats.

18. What steps do you take to ensure the resilience of the networks you provide?

In this context, resilience means the ability of the network to withstand, respond to and recover from disruption

19. Do you consider standards and/or guidance from the following organisations in the design, development  or deployment of your network(s)? If so, which ones?

  • Yes
  • No
  • Don’t know

20. If yes, tick all that apply.

  • 3GPP (e.g. the 3GPP Security Specification)
  • ETSI (e.g. ETSI 5G Security Architecture and procedures for 5G Systems guidance)
  • DSIT, previously DCMS (e.g. Telecommunications Security Code of Practice)
  • NCSC (e.g. The Cyber Assessment Framework)
  • GSMA (e.g. 5G Cyber Security Knowledge Base)
  • NPSA, previously CPNI (e.g. CAPSS)
  • ISO (e.g. ISO 27031:2011 – Business Continuity)
  • NIST (e.g. NIST CSF: Framework for Improving Critical Infrastructure Cybersecurity)
  • O-RAN Alliance (e.g. O-RAN Security Requirements Specifications 5.0)
  • Other
  • Not applicable

21. Do you take any steps to ensure that your networks are resilient in the event of a power outage?

  • Yes
  • No
  • Don’t know

22. If yes, please outline what measures you have in place, including the estimated duration that the network could continue to operate during any outage.

23. What, if any,  steps do you take to manage security and resilience in the supply chain of your private network?

24. Is your organisation also a customer of a private telecoms network provider?

If it is not, you will proceed directly to section 4: Policy Questions.

  • Yes
  • No

Section 3: Questions for Private Telecoms Network customers

We invite customers, including procurers, of private telecoms networks, to answer the questions in this section.

25. What sector(s) does your organisation operate in?

Tick all that apply:

  • Accommodation services
  • Agriculture, forestry and fishing
  • Arts, entertainment, recreation
  • Business administration and support services
  • Chemicals
  • Civil Nuclear
  • Construction
  • Defence
  • Education
  • Electricity and gas
  • Emergency services
  • Financial services
  • Food
  • Government
  • Health
  • Information and communication
  • Insurance
  • Oil
  • Post
  • Production and manufacturing
  • Professional, scientific and technical
  • Property
  • Public administration
  • Space
  • Transport
  • Utilities
  • Water
  • Wholesale and retail trade; repair of motor vehicles and motorcycles
  • Other

26. What is the main purpose of your organisation?

27. What is your organisation using private telecoms networks for?

Tick all that apply:

  • Connectivity for staff on site
  • Connectivity for staff away from site
  • Internal communication
  • Security
  • Back-up systems
  • Internet-of-Things (IoT) device control
  • Sensors and monitoring devices
  • Operational technologies
  • Other

Please provide details.

28. If private telecoms networks used by your organisation were to stop working, would it affect the delivery of your organisation’s functions?

  • Yes
  • No
  • Don’t know

29. If yes, which of your organisation’s functions would be affected?

30. If yes, would any of the following be affected?

Tick all that apply:

  • Public safety
  • Service delivery
  • Security of the sector
  • Security of the service
  • Internal systems (e.g. HR)
  • Finance
  • Other

31. How do you plan to use private telecoms networks in your organisation in the future?

For example, how many networks do you intend to use, for what purpose, and to what extent?

32. To what degree did you consider security when you procured your private network?

In this context, security can be defined as the protection of a network against external threats.

1 = Security was not considered and 5= Security was prioritised.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Don’t know

Please explain your answer. For example, what were the biggest security challenges that you faced, and how did you overcome them?

33. To what degree did you consider resilience when you procured your private telecoms network?

In this context, resilience means the ability of the network to withstand, respond to and recover from disruption.

1 = Resilience  was not considered and 5= Resilience was prioritised.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Don’t know

Please explain your answer.

34. What, if any, steps do you take to manage security and resilience in the supply chain of your private network?

Section 4: Policy questions (for all respondents)

This section focuses on how we can ensure that the private telecoms network market develops in a way to encourage good security and resilience outcomes. This includes potential actions that industry can take, such as complying with standards, and potential interventions that the government could take to encourage good security and resilience. We would ask all respondents to answer these questions based on their knowledge and experiences.

35. Do you think the market for private telecoms networks is developing in a way that encourages good security?

  • Yes
  • No
  • Don’t know

Please explain your answer.

36. How do you think new technological developments will impact the security or resilience of private telecoms networks?

37. To what degree do existing telecoms industry and cyber security standards support the deployment of secure and resilient private telecoms networks?

  • A lot
  • Somewhat
  • A little
  • Not at all
  • Don’t know

Please explain your answer.

For example, are there ways in which standards could better support the security of private telecoms networks, or particular types of private telecoms networks? Are there changes to standards that you would like to see in future to support private network security?

38. How could the government best support the security and resilience of private telecoms networks?

39. Should private and public telecoms networks continue to be treated differently when developing policy to ensure good network security?

  • Yes
  • No
  • Don’t know

Please explain your answer.

40. If yes, how should private telecoms networks be distinguished from public telecoms networks?

41. What are the security risks to private telecoms networks that should be prioritised when developing policy to ensure good network security?

Annex B – Respondent organisations

Aloha
Amazon Web Services, Inc.
Arqit
AttoCore LTD
BAE Systems Digital Intelligence
BSI
BT
CableFree: Wireless Excellence
Cellnex UK and its UK subsidiaries
Cisco
Colt
CUMUCORE
CyberArk Software
Data Communications Company
DEKRA
Druid Software
Electricity North West
FCS
FreshWave
H3G UK Ltd.
Home Office
Huawei
Multiview Media
National Grid Electricity Distribution
NCC Group
Network Rail
Northern Powergrid
OTR TEAM LIMITED
QinetiQ Ltd.
SGN
techUK
Verizon
Virgin Media O2
Vodafone
WBA
Wildanet Ltd
Wireless Infrastructure Group
WM5G
Zeetta Networks Ltd
  1. See definition of ‘public electronic communications network’ in section 151(1) of the Communications Act 2003; section 151(9) specifies that “a service is made available to members of the public if members of the public are customers, in respect of that service, of the provider of that service. 

  2. https://www.gov.uk/government/publications/uk-wireless-infrastructure-strategy/uk-wireless-infrastructure-strategy 

  3. Respondents were able to answer the call for information via an online survey on the ‘Qualtrics’ platform 

  4. Organisations were able to categorise themselves as more than one ‘type of organisation’ 

  5. Respondents could categorise themselves as more than one ‘type of provider’ 

  6. Respondents could pick more than one type of connectivity and size of organisation they worked with. 

  7. Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. 

  8. A sector would be deemed critical should it provide infrastructure that would result in major detrimental impacts on the availability, delivery or integrity of essential services, leading to severe economic or social consequences or to loss of life, should it be lost or compromised. We defined the following sectors as critical in the call for information: chemicals, civil nuclear, defence, emergency services, energy, finance, food, government, health, space, transport and water. Respondents could choose more than one sector. 

  9. Fixed fibre connecting the core network to the edges of the network. 

  10. “Security” was defined in the call for information as ‘ the protection of a network against external threats’ 

  11. “Resilience” was defined in the call for information as ‘the ability of the network to withstand, respond to and recover from disruption’. 

  12. Respondents were asked to rate on a scale of 1 to 5 to what extent security was considered (where 5 was ‘security was prioritised’). All respondents chose 5. 

  13. Respondents were asked to rate on a scale of 1 to 5 to what extent resilience was considered (where 5 was ‘resilience was prioritised’). Four out of five of the respondents chose 5 with the remaining respondent choosing 3. 

  14. The 3rd Generation Partnership Project (3GPP) is an umbrella term for a number of standards organizations which develop protocols for mobile telecommunications. 

  15. ETSI is a European Standards Organisation (ESO). It is a regional standards body dealing with telecommunications, broadcasting and other electronic communications networks and services. 

  16. This covers guidance and regulation produced by DSIT, such as the Electronic Communications (Security Measures) Regulations 2022 created using powers in the Telecommunications (Security) Act 2021, though these notably contain measures regarding public rather than private networks. Other legislation, such as Product Security and Telecommunications Infrastructure Act 2022, was also mentioned by those who responded to the call for information. 

  17. ISO (International Organization for Standardisation) is an independent, non-governmental international organization with a membership of 169 national standards bodies. 

  18. Security by design is an approach to software and hardware development that seeks to make systems as free of vulnerabilities and impervious to attack as possible at the design stage. 

  19. The main concept behind the zero-trust security model is “never trust, always verify,” which means that users and devices should not be trusted by default, even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified. 

  20. The duplication of critical network components to ensure uninterrupted service availability. 

  21. A penetration test is an authorised simulated attack performed on a computer system to evaluate its security 

  22. CREST stands for Council of Registered Ethical Security Testers. 

  23. Respondents, in particular, referred to the UK’s regulatory framework for the security of public telecoms networks, including duties in the Communications Act 2003 as amended by the Telecommunications (Security) Act 2021, requirements in the Electronic Communications (Security Measures) Regulations 2022 and measures in the associated Telecommunications Security Code of Practice. 

  24. https://www.gov.uk/government/news/cyber-laws-updated-to-boost-uks-resilience-against-online-attacks 

  25. 94% of respondents – see paragraph 28. 

  26. Some respondents suggested that use of legacy equipment was also an issue for private telecoms network 

  27. Open RAN is the disaggregation of the radio access network into parts which are interconnected by open, standards-based, interoperable interfaces, using open, standards-based protocols for communicating over those interfaces. As a result, networks can be built from parts from different vendors. 

  28. A software intermediary that allows two applications to talk to each other. 

  29. Radio spectrum (spectrum) is the range of invisible electromagnetic waves that enable all wireless technology, from our mobile phones, Wi-Fi and Bluetooth devices to aircraft navigation and satellite applications, among many others. 

  30. Respondents took a broad interpretation as to the definition of ‘standards’ looking across regulation, guidance and the traditional definition of standards. 

  31. Electronic Communications (Security Measures) Regulations 2022 

  32. This was an open text question