The Telecommunications (Security) Bill is intended to reinforce the security of the UK telecommunications infrastructure, but what are the implications for industry?
Given the rapid pace of developments in the technology sector, as well as the rising threats posed by online crime, new telecommunications legislation has been on the horizon for some time. Following the Future Telecoms Infrastructure review and the UK Telecoms Supply Chain review, the government identified three key areas that needed to be improved:
- New security requirements.
- Managing the security risk posed by suppliers.
- Enhanced legislative framework for security in telecoms.
In November 2020, the Telecommunications (Security) Bill was introduced to the House of Commons by Matt Warman MP, parliamentary under-secretary for the Department for Digital, Culture, Media and Sport (DCMS). The bill aims to give the government new powers to boost the security standards of the UK’s telecommunication networks and remove the threat posed by suppliers identified by the government as being high-risk. This is achieved by the bill expanding the legislative powers of the existing Communications Act 2003.
Warman explains: “The next step is the consultation on a code of practice that will set out how Ofcom and providers will work together to meet the precise details of those responsibilities, so that things are proportionate, sensible and meet the right balance between security for consumers and businesses, but also clarity and predictability for providers.”
The bill focuses on providers of electronic communication networks and services (PECN/PECS), which means any company that is wholly or partly involved in the telecommunications sector. The aims of the bill can be broken down into four key elements:
- Provide new legal security duties for PECN/PECS to ensure adequate security of networks.
- Expand Ofcom’s duties to promote security and resilience to PECN/PECS.
- Provide a delegated power to make secondary legislation, setting out sub-duties and detailed security requirements to further define the priority actions to be taken by PECN/PECS.
- Provide powers for the DCMS secretary of state to set out new security codes of practice to assist Ofcom and relevant PECN/PECS with meeting these additional new duties.
Although all internet-connected devices, from CCTV systems to smart meters, effectively communicate with each other, the Telecommunications (Security) Bill only covers voice and text communication services. “This bill is very narrowly focused on the telecom network,” says Warman.
Security of IoT devices
However, the security of internet of things (IoT) devices is also being considered. “In the Queen’s Speech, we announced the Product Security and Telecommunications Infrastructure Bill, part of which is about tackling smart devices,” adds Warman. “It is still far too easy to buy a smart device that has the password as ‘password’, or even worse, you can’t change the password at all.”
Central to the Telecommunications (Security) Bill is the requirement for PECN/PECS to take security measures to protect their networks and services. This is covered in Section 105A, where it states: “The provider of a public electronic communications network or a public electronic communications service must take such measures as are appropriate and proportionate for the purposes of:
- Identifying the risks of security compromises occurring.
- Reducing the risks of security compromises occurring.
- Preparing for the occurrence of security compromises.”
A “security compromise” can be broadly defined as anything that impinges upon the performance and functionality of a telecommunication network. The full definition, which incorporates seven distinct definitions of a security compromise, is given in Paragraph 2 of Section 105A. While this may seem long-winded, the bill is attempting to encompass all forms of vulnerabilities, thereby future-proofing itself.
“This represents a significant shift in how government oversees security, and with the NS&I Bill shows a more proactive stance is being taken, which could change how a provider runs its network,” says Andrew Kernahan, head of public affairs for ISPA. “We think any measures that go above and beyond usual business practice must be considered carefully, with safeguards put in place.”
Also, PECN/PECS will be expected to take certain measures in response to a security compromise. Paragraph 2 in Section 105C states: “The provider of the network or service must take such measures as are appropriate and proportionate for the purpose of preventing adverse effects (on the network or service or otherwise) arising from the security compromise.”
As part of their response, PECN/PECS will be expected to inform both Ofcom and their users of any security vulnerabilities. Paragraph 2 of Section 105J states: “The provider of the network or service must take such steps as are reasonable and proportionate for the purpose of bringing the relevant information, expressed in clear and plain language, to the attention of persons who use the network or service and may be adversely affected by the security compromise.”
This is in addition to informing the Information Commissioner’s Office (ICO) in the event of a data breach.
Although the bill takes steps to incorporate all forms of security vulnerabilities, it caveats that security legislation is not included. Section 105A stipulates: “But in this chapter, ‘security compromise’ does not include anything that occurs as a result of conduct that is required or authorised by or under an enactment mentioned in subsection (4).”
The enactments mentioned in Subsection 4 include the following:
- Investigatory Powers Act 2016.
- Part 1 of the Crime and Courts Act 2013.
- Prisons (Interference with Wireless Telegraphy) Act 2012.
- Regulation of Investigatory Powers Act 2000.
- Intelligence Services Act 1994.
This is to ensure that there is no legislative overlap. Warman explains: “Keeping that segmentation is important, because it allows law enforcement to get on with working with telecoms providers in the way that they currently do, and doesn’t start moving goalposts. You wouldn’t want to accidentally create a conflict of duties through three different legislations.”
Following the government’s decision to ban Huawei technology from the UK telecommunications infrastructure, the Section 105Z1 of the bill includes powers for designated supplier directions. This allows the secretary of state to order companies to restrict or ban purchasing from certain suppliers in the interests of national security.
In addition to these security provisions, organisations will be expected to follow specified security measures (Section 105B) and codes of practice (Section 105E), which can be issued and withdrawn by the secretary of state.
Underpinning this is Section 105Z25, which gives the secretary of state the power to apply additional security measures to certain information. “The bill requires communications providers, such as ISPs, not to disclose the contents of vendor directions or notifications without the permission of the secretary of state,” says Kernahan. “This would mean that ISPs will be unable to discuss the situation – and therefore seek advice – with their peers.”
When asked about this, Warman says: “The only reason why those non-disclosure clauses are potentially in there is where we feel it might compromise national security to make those sorts of things public.”
More powers for Ofcom
The articles in the bill will be enforced by Ofcom, which will therefore gain more powers. These powers include Ofcom being able to assess PECN/PECS compliance with the bill and to issue financial penalties for non-compliance. These penalties include up to £100,000 a day for failing to comply with a security duty and a maximum penalty of £10m for not complying with a code of practice.
The costs for complying with the new bill are still to be determined, partly because of the Covid-19 pandemic. It was noted on page 3 of the impact assessment that the largest operators “could incur potentially significant costs”. Tier 1 operators could face familiarisation costs of up £200,000, while non-Tier 1 operators could face familiarisation costs of up to £2m.
Warman adds: “If you look at what this bill is doing, together with the diversification strategy, it is working towards a more diverse telecoms landscape, backed by a £250m initial investment. One of the problems that we’ve got in the telecoms network landscape is that reliance on a small number of providers. We are keen to use the package of measures that we’ve put forward to promote innovation in an area that hasn’t had, in some ways, enough of it.”
The Telecommunications (Security) Bill is a sign of things to come. Technology companies wishing to continue operating in the UK need to be aware that further security requirements will be required of them in the future.
“The bill is tackling the deficiencies in existing telecom security legislation, but then the Product Security and Telecommunications Infrastructure Bill is going into other areas,” says Warman. “There are a whole host of products. You never had to worry about the security of your fridge, other than possibly from pets and children. Whereas now, we absolutely have to worry about whether products on sale in this country that are connected to the internet, offer that minimum standard of security that everyone can reasonably expect.”
The Telecommunications (Security) Bill is ultimately designed to reinforce the UK’s telecommunication infrastructure, but the onus is being placed on telecommunication service providers. Although it is welcome that the government is legislating the need for greater security, the cost and non-disclosure elements may yet be seen as areas of concern.
Courtesy of: Peter Ray Allison