» ISP News, Key Developments » 

Headaches for UK ISPs as Telecoms Security Bill to Become Law

Tuesday, November 9th, 2021 (3:37 pm) - Score 7,488
Fiber Optic cables connected to an optic ports and Network cables connected to ethernet ports

The UK Government’s new Telecommunications (Security) Bill (TSB) is set to become law after passing through both houses of parliament this month, but it goes much further than just banning Huawei from the UK’s 5G mobile networks. Broadband ISPs, both big and small alike, also face a cacophony of tedious new rules.

Few would disagree with the desire to ensure that modern broadband and mobile networks (PECN – Public Electronic Communications Networks), as well as related services (PECS – Public Electronic Communications Services), are secure. It’s a no-brainer. On the other hand, when it comes to setting law in complex technical fields like this, politicians  – who tend not to fully understand how such networks work – can make mistakes.

For the purposes of this article, we’re going to skip the recap of anything to do with Huawei and telecoms supply chain diversity, since that debate is already well understood (details), and we fear it may distract from a lot of other changes that are being introduced alongside the TSB (internet connection monitoring, encouraging data localisation to the UK, hampering connectivity to UK networks etc.).

We should add that the move to ban Huawei will result in restrictions on the use of their kit in gigabit-capable fixed line broadband networks too, which is one of the reasons why Openreach (BT) last year had to secure a third strategic supplier for their new Fibre-to-the-Premises (FTTP) network (here). Discussions about precisely how this will impact fixed line networks are still ongoing.

What else will the TSB do?

The framework set out in the act will provide the Government and Ofcom with significant new powers to intervene in how telecommunications companies run their business, manage supply chains, design and operate networks. Fines of up to £10m or £100,000 a day will also be issued for those that fail to meet the required standards, which is a particularly big burden for smaller players to shoulder.

The move is intended, among other things, to strengthen the security and oversight of technology used in telecoms networks, including the electronic equipment and software used across the networks which handle internet traffic and telephone calls. The idea is to give the Government a greater ability to respond to national security threats within such networks, both now and in the future.

However, practically applying such rules to hugely complex national telecommunications networks, with global connectivity and supply chains to consider, will not be so easy. A lot of this concern stems from the secondary legislation that accompanies the TSB, which has already been set out via the Government’s Draft Electronic Communications (Security Measures) Regulations 2021

The new rules will require providers to “monitor, analyse and audit” signals – excluding the content of communications – both entering, transiting and leaving their networks “for the purpose of identifying the occurrence of any security compromise” – a record of this must be kept for at least 13 months. This is a big demand and cost, albeit one that partly repeats some of what the Investigatory Powers Act (IPAct) already requires.

The monitoring requirements also require providers to securely protect the data they store and to “ensure that workstations through which privileged access is possible are not exposed to external networks.” Furthermore, it tells providers to “ensure that tools enabling monitoring or audit cannot be accessed from outside the [UK] if they enable monitoring or audit – (i) in real time, or (ii) of the content of signals.”

On the surface, the aforementioned requirements sound fair, except external connectivity solutions and services with non-UK networks and services are somewhat par for the course with global internet connectivity. For example, operators may have bases in other countries and their staff might need to work via the operator’s own Virtual Private Network (VPN) while abroad on business, both of which seem to clash with the rules.

Network providers must also “take measures to prevent activities that unreasonably restrict monitoring, analysis and investigation.” The devil will be in the interpretation of that, as it would seem to conflict with services, such as WhatsApp, that use end-to-end encryption to secure their communications (other areas of the rules also seem set to hamper this), as well as secure VPNs etc.

The rules then require network providers “to avoid dependence on persons, equipment or stored data located outside the [UK] to monitor and audit the use of networks located in the [UK],” which may be difficult to implement given that modern software and hardware tends to be produced with bits and pieces from across the world (i.e. global supply chains and operations).

Providers may also be ordered by Ofcom to conduct annual penetration testing of their networks. Most credible providers will already be mindful of security considerations, but this would make testing compulsory. The details of how this will work and be reported on are currently still uncertain. Some sort of standards may also be required to avoid providers trying to game the system.

Suffice to say, there are a lot of potential problem areas on the implementation side for providers.

Latest Lords Amendments

Yesterday’s debate saw the House of Commons consider five amendments that had been tabled in the House of Lords. Three of the amendments (1, 2 and 3) were adopted, while 4 and 5 were disagreed. The adopted amendments 1-3 will require the Government to lay a draft of any Code of Practice (CoP) before Parliament for 40 days, which will enable scrutiny before it is issued.

As for the rejected amendment 4, this focused on diversification and would have placed an annual requirement on the Government to report on the impacts of their 5G telecoms diversification strategy on the security of public telecommunications networks and services. The government felt as if such a reporting requirement would be “restrictive and premature.”

Finally, lords amendment 5 related to reviewing actions taken by the Five Eyes nations regarding high-risk vendors. The Government welcomed the “spirit of the amendment“, but rejected it because a similar sort of process already existed under another part of the bill.

What’s next?

The UK Internet Service Providers’ Association (ISPA) has already done a good job of highlighting many of the concerns about the proposed rules (here) and raising them with the Government, although it now seems likely that a lot of the key technical challenges and detail will be left up to Ofcom to resolve after Royal Assent. The regulator will have their work cut out in trying to avoid a potential tsunami of unintended consequences.

A Spokesperson for the ISPA told ISPreview.co.uk:

“ISPA has been working closely with its members, government and policymakers on the Telecoms Security Bill over the past twelve months. As the Bill nears Royal Assent, we are looking for clarity from Government through updated secondary legislation and the Code of Practice on the areas of concern we have identified.

This includes who will be scope and to what extent through the proposed three tier system, the impact on the ability to use overseas services, what kind of data operators may need to store, meeting requirement to manage and secure the supply chain and more besides. Until then there remains a significant amount of uncertainty.”

In short, running a public broadband or mobile network is about to become a fair bit more tedious, and at present it’s unclear whether the benefits of all this will truly outweigh the not insignificant cost and technical caveats of implementation, as well as any added bureaucracy that providers might face.

The industry is now waiting for the bill to pass so that it can move to the next stage, which will reflect a series of consultations on the new Code of Practice, Ofcom’s enforcement powers and the high-risk vendor policy. Not to mention the need for updated secondary legislation, which should hopefully reflect some of the industry’s technical feedback and concerns.

In theory, we may well end up with a much more secure telecommunications infrastructure, which would be a very good thing indeed and should be welcomed. But the risk is that, in trying to make UK networks more secure, the Government may also end up doing the opposite, while harming the use of global supply chains in the process.

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
15 Responses
  1. anonymous says:

    And everyone’s bill to go up because of extra politician and regulator beurocracy requirements…

    1. Tom says:

      In the USA these items are often additional line entries on bills (certainly on AT&T ones I’ve seen). It makes them utterly confusing but also does show how much each additional bit of regulation has added to the customer’s overall payment.

    2. Mike says:

      That’s something I’d like to see more of in the UK so people could see the true level of taxation.

    3. Buggerlugz says:

      Maybe they could do that for fuel, gas and electricity, oh and road tax….or how much cream they take off the top to line their own pockets? can’t see that happening.

    4. A_Builder says:

      “ Maybe they could do that for fuel, gas and electricity, oh and road tax”

      There was a petrol lump developed in the late ‘90 that shows the tax take. I think it was Schlumberger who developed it? Anyway when one of the forecourt majors wanted to install them HMG’s spin machine said no.

  2. Jack says:

    So will this be required by all ISP’s a]or will the smaller ones be exempt because of the cost to implement?

    1. Squid Game says:

      First paragraph, last sentence.

  3. Mark says:

    If it’s anything to do with Parliament and the House Of Lords it’ll be a disaster.
    Plus it seems Boris not contempt with destroying the free energy market wants to do the same to the free telecoms market. I can see prices increasing already…
    Theirs a right way and a wrong way to do things, and when it comes to technology the government invariable always chooses the wrong way. And perhaps someone should remind them NO network is 100% secure.

  4. Darc says:

    Unless this act is about the ISP monitoring there own equipment and access to it, implementing this to analyse user traffic could have massive issues since most traffic is already encrypted end to end via HTTPS.

    A lot of recent moves by google and cloudflair hide internet traffic destinations with DNS over HTTPS, load balancers and proxy servers. It is becoming increasingly difficult if not impossible to work out what any of the traffic is for. DNS over HTTPS is in many ways designed to make it impossible for ISP’s and governments to snoop on internet traffic.

    Not sure how the government is expecting the ISP’s to do miracles.

    1. Mark says:

      TLS SNI inspection of certificates is expensive in processing power and with ESNI it’s as good as impossible with DNS over HTTPS concurrently…

  5. Essa says:

    One could argue that the regulator does not specificy if the information is encrypted or not, so one could argue that as long as the encrypted traffic is stored and if authority need that data they are given access to it, as far as i can read this the ISP have done what the regulation have asked them for.

    For example it say “The new rules will require providers to “monitor, analyse and audit” signals – excluding the content of communications”

    They can monitor encrypted traffic, they can analyse and audit from where to where. and it does say ” Excluding the content of communication.

    Collect IP from and to, time and date.


    1. Mark says:

      That is true that IP addresses in traffic can be monitored from and to but analysts of the traffic would seem to imply some sort of intrusion detection system (IDS) and (IPS) prevention in the great firewall of UK protecting UK infrastructure which is a good idea.

      And analysis of the traffic surely would need TLS inspection for categories for traffic, eg: news, social media, malware, pornography, etc..

      Would have thought that would need more than IP addresses meta analysis, at least TLS and certificates for categories to be effective, if not now in future years…?

  6. Martins Kreicis says:

    Oh dear Jesuits are desperate to have control over communication. Makes sense.

    1. The noticer says:

      Jesuits? Lol, no.

      It’s a different (((tribe))) trying to censor the internet.

  7. no name cv37 says:

    Welcome to 1984…big brother

Comments are closed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Gigaclear £17.00
    Speed: 200Mbps, Unlimited
    Gift: None
  • Community Fibre £20.00
    Speed: 150Mbps, Unlimited
    Gift: None
  • Virgin Media £24.00
    Speed: 108Mbps, Unlimited
    Gift: None
  • Vodafone £25.00
    Speed: 100Mbps, Unlimited
    Gift: None
  • Hyperoptic £25.00
    Speed: 158Mbps, Unlimited
    Gift: None
Large Availability | View All
Cheapest Superfast ISPs
  • Hyperoptic £17.99
    Speed 33Mbps, Unlimited
    Gift: None
  • Shell Energy £19.99
    Speed 35Mbps, Unlimited
    Gift: None
  • NOW £20.00
    Speed 36Mbps, Unlimited
    Gift: None
  • Virgin Media £20.00
    Speed 54Mbps, Unlimited
    Gift: None
  • Vodafone £22.00
    Speed 38Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (4097)
  2. BT (3145)
  3. Politics (2107)
  4. Building Digital UK (2019)
  5. Openreach (1966)
  6. FTTC (1920)
  7. Business (1825)
  8. Mobile Broadband (1601)
  9. Statistics (1505)
  10. 4G (1374)
  11. FTTH (1371)
  12. Virgin Media (1274)
  13. Ofcom Regulation (1238)
  14. Wireless Internet (1232)
  15. Fibre Optic (1232)
  16. Vodafone (925)
  17. EE (903)
  18. 5G (894)
  19. TalkTalk (820)
  20. Sky Broadband (786)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact