Headaches for UK ISPs as Telecoms Security Bill to Become Law

The UK Government’s new Telecommunications (Security) Bill (TSB) is set to become law after passing through both houses of parliament this month, but it goes much further than just banning Huawei from the UK’s 5G mobile networks. Broadband ISPs, both big and small alike, also face a cacophony of tedious new rules.

Few would disagree with the desire to ensure that modern broadband and mobile networks (PECN – Public Electronic Communications Networks), as well as related services (PECS – Public Electronic Communications Services), are secure. It’s a no-brainer. On the other hand, when it comes to setting law in complex technical fields like this, politicians  – who tend not to fully understand how such networks work – can make mistakes.

For the purposes of this article, we’re going to skip the recap of anything to do with Huawei and telecoms supply chain diversity, since that debate is already well understood (details), and we fear it may distract from a lot of other changes that are being introduced alongside the TSB (internet connection monitoring, encouraging data localisation to the UK, hampering connectivity to UK networks etc.).

We should add that the move to ban Huawei will result in restrictions on the use of their kit in gigabit-capable fixed line broadband networks too, which is one of the reasons why Openreach (BT) last year had to secure a third strategic supplier for their new Fibre-to-the-Premises (FTTP) network (here). Discussions about precisely how this will impact fixed line networks are still ongoing.

What else will the TSB do?

The framework set out in the act will provide the Government and Ofcom with significant new powers to intervene in how telecommunications companies run their business, manage supply chains, design and operate networks. Fines of up to £10m or £100,000 a day will also be issued for those that fail to meet the required standards, which is a particularly big burden for smaller players to shoulder.

The move is intended, among other things, to strengthen the security and oversight of technology used in telecoms networks, including the electronic equipment and software used across the networks which handle internet traffic and telephone calls. The idea is to give the Government a greater ability to respond to national security threats within such networks, both now and in the future.

However, practically applying such rules to hugely complex national telecommunications networks, with global connectivity and supply chains to consider, will not be so easy. A lot of this concern stems from the secondary legislation that accompanies the TSB, which has already been set out via the Government’s Draft Electronic Communications (Security Measures) Regulations 2021. 

The new rules will require providers to “monitor, analyse and audit” signals – excluding the content of communications – both entering, transiting and leaving their networks “for the purpose of identifying the occurrence of any security compromise” – a record of this must be kept for at least 13 months. This is a big demand and cost, albeit one that partly repeats some of what the Investigatory Powers Act (IPAct) already requires.

The monitoring requirements also require providers to securely protect the data they store and to “ensure that workstations through which privileged access is possible are not exposed to external networks.” Furthermore, it tells providers to “ensure that tools enabling monitoring or audit cannot be accessed from outside the [UK] if they enable monitoring or audit – (i) in real time, or (ii) of the content of signals.”

On the surface, the aforementioned requirements sound fair, except external connectivity solutions and services with non-UK networks and services are somewhat par for the course with global internet connectivity. For example, operators may have bases in other countries and their staff might need to work via the operator’s own Virtual Private Network (VPN) while abroad on business, both of which seem to clash with the rules.

Network providers must also “take measures to prevent activities that unreasonably restrict monitoring, analysis and investigation.” The devil will be in the interpretation of that, as it would seem to conflict with services, such as WhatsApp, that use end-to-end encryption to secure their communications (other areas of the rules also seem set to hamper this), as well as secure VPNs etc.

The rules then require network providers “to avoid dependence on persons, equipment or stored data located outside the [UK] to monitor and audit the use of networks located in the [UK],” which may be difficult to implement given that modern software and hardware tends to be produced with bits and pieces from across the world (i.e. global supply chains and operations).

Providers may also be ordered by Ofcom to conduct annual penetration testing of their networks. Most credible providers will already be mindful of security considerations, but this would make testing compulsory. The details of how this will work and be reported on are currently still uncertain. Some sort of standards may also be required to avoid providers trying to game the system.

Suffice to say, there are a lot of potential problem areas on the implementation side for providers.

Latest Lords Amendments

Yesterday’s debate saw the House of Commons consider five amendments that had been tabled in the House of Lords. Three of the amendments (1, 2 and 3) were adopted, while 4 and 5 were disagreed. The adopted amendments 1-3 will require the Government to lay a draft of any Code of Practice (CoP) before Parliament for 40 days, which will enable scrutiny before it is issued.

As for the rejected amendment 4, this focused on diversification and would have placed an annual requirement on the Government to report on the impacts of their 5G telecoms diversification strategy on the security of public telecommunications networks and services. The government felt as if such a reporting requirement would be “restrictive and premature.”

Finally, lords amendment 5 related to reviewing actions taken by the Five Eyes nations regarding high-risk vendors. The Government welcomed the “spirit of the amendment“, but rejected it because a similar sort of process already existed under another part of the bill.

What’s next?

The UK Internet Service Providers’ Association (ISPA) has already done a good job of highlighting many of the concerns about the proposed rules (here) and raising them with the Government, although it now seems likely that a lot of the key technical challenges and detail will be left up to Ofcom to resolve after Royal Assent. The regulator will have their work cut out in trying to avoid a potential tsunami of unintended consequences.

A Spokesperson for the ISPA told ISPreview.co.uk:

“ISPA has been working closely with its members, government and policymakers on the Telecoms Security Bill over the past twelve months. As the Bill nears Royal Assent, we are looking for clarity from Government through updated secondary legislation and the Code of Practice on the areas of concern we have identified.

This includes who will be scope and to what extent through the proposed three tier system, the impact on the ability to use overseas services, what kind of data operators may need to store, meeting requirement to manage and secure the supply chain and more besides. Until then there remains a significant amount of uncertainty.”

In short, running a public broadband or mobile network is about to become a fair bit more tedious, and at present it’s unclear whether the benefits of all this will truly outweigh the not insignificant cost and technical caveats of implementation, as well as any added bureaucracy that providers might face.

The industry is now waiting for the bill to pass so that it can move to the next stage, which will reflect a series of consultations on the new Code of Practice, Ofcom’s enforcement powers and the high-risk vendor policy. Not to mention the need for updated secondary legislation, which should hopefully reflect some of the industry’s technical feedback and concerns.

In theory, we may well end up with a much more secure telecommunications infrastructure, which would be a very good thing indeed and should be welcomed. But the risk is that, in trying to make UK networks more secure, the Government may also end up doing the opposite, while harming the use of global supply chains in the process.