The UK Government has today begun to consult on draft regulations for their new Telecommunications (Security) Act which, aside from banning Huawei inside 5G mobile networks (and restricting their involvement with FTTP broadband), will also impose a cacophony of tedious new security rules on telecoms operators.
The TSA became law in November 2021 (full summary) and imposes stronger legal duties on public telecoms providers to defend their networks from cyber threats, which could cause network failure or the theft of sensitive data. Few could disagree with such desires, although politicians – who tend not to fully understand how these networks work in the real-world – are often awful at getting such rules right.
The above is a concern because the new framework hands significant new powers to the Government and Ofcom, enabling them to intervene in how telecommunications companies run their business, manage supply chains, design and even operate networks. Fines of up to 10% of turnover or £100,000 a day will be issued against those that fail to meet the required standards, which would be a particularly big burden for smaller players.
The good news is this consultation seeks views on plans to place telecoms providers into three “tiers” under the new Code of Practice (CoP), which will be filtered according to size and importance to UK connectivity. The purpose here, we’re told, is to “ensure steps to be taken under the code are applied proportionately and do not put an undue burden on smaller companies.” But we’ll come back to this later.
Telecoms providers will be legally required to:
➤ Protect data stored by their networks and services, and secure the critical functions which allow them to be operated and managed;
➤ Protect tools which monitor and analyse their networks and services against access from hostile state actors;
➤ Monitor public networks to identify potentially dangerous activity and have a deep understanding of their security risks, reporting regularly to internal boards; and
➤ Take account of supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services.
However, practically applying such rules to hugely complex national telecommunications networks, with global connectivity and supply chains to consider, will not be so easy (i.e. modern software, internet services and hardware is all produced with bits and pieces, as well as connectivity, from across the world). The code will thus need to have some flexibility in order to avoid it stifling innovation
Julia Lopez, UK Digital Infrastructure Minister, said:
“Broadband and mobile networks are crucial to life in Britain and that makes them a prime target for cyber criminals.
Our proposals will embed the highest security standards in our telecoms industry with heavy fines for any companies failing in their duties.”
The consultation will remain open until 10th May 2022 and after that the final regulations and the final CoP will be laid in Parliament. Assuming all goes to plan, then both are expected to be enforced from sometime “later this year.”
In terms of that tier system, the government essentially proposes allocating providers into three tiers with different compliance expectations and levels of Ofcom oversight for each tier.
The Three Tiers
➤ Tier 1 providers would be the largest organisations providing public networks and services for which a security compromise would have the most widespread impact on network and service availability, and the most damaging economic or social effects. This is likely to include public telecoms providers with relevant annual turnover of £1bn+.
➤ Tier 2 providers would be those medium-sized companies providing networks and services for which security compromises would have an impact on critical national infrastructure (CNI) or regional availability with potentially significant security, economic or social effects. This is likely to include public telecoms providers with relevant annual turnover in the relevant period of more than or equal to £50m, but less than £1bn.
➤ Tier 3 providers would be the smallest companies in the market that are not micro-entities. While security compromises to their networks or services could affect their customers, if those networks and services do not support CNI such compromises would not significantly affect national or regional availability.
Just to give a little context above, virtually all of the largest broadband ISPs would naturally fall into Tier 1, while the likes of medium-size ISPs (e.g. Hyperoptic with a turnover of £51.7m and Zen Internet on £82.1m) would probably fall into Tier 2. The vast majority of smaller providers would thus fall into Tier 3 and should enjoy a light touch approach.
The Government states that Tier 3 providers may choose to adopt the measures where these are relevant to their networks and services. “We welcome feedback from providers who may be considered Tier 3 on whether further specific guidance is needed to assist compliance with legal obligations.”
However, there is a catch here. Some Tier 3 providers may supply parts of networks and services owned by larger Tier 1 or Tier 2 providers. Therefore, the draft regulations stipulate that where a provider acts as a third-party supplier to another provider, they must take security measures that are equivalent to those taken by the provider receiving their services. “This requirement is intended to prevent unacceptable vulnerabilities being posed by smaller providers who may not be considered Tier 1 themselves,” which we imagine may be a problem for some companies.
UPDATE 8th March 2022
Ofcom has today begun consulting on the related guidance for telecoms providers.
Under the new framework, the regulator has a duty to ensure providers comply with their security duties, including as to the availability, performance or functionality of the network or service; and it gives Ofcom the powers to proactively monitor and enforce these duties.
The new consultation sets out the procedures they expect to follow in carrying out their monitoring and enforcement activities. “We have also proposed new guidance on which security compromises we would expect providers to report to us. We are also proposing to update our existing guidance on network resilience to reflect the new framework, and draft regulations and Code of Practice, on which the UK Government is currently consulting.”
Interested or affected parties are invited to respond to this consultation by 17th May 2022. “We plan to issue our final procedures and guidance in Autumn 2022,” said Ofcom
So, who would OfCom fine if there was a widespread tool driven security breach affecting multiple ISP..the tool provider? No one? Everyone?
I’m thinking Solarwind here.
Each individual compromised ISP would be in scope as they’ve failed in the requirement to secure their supply chain. If they could show that they had done everything they could to protect that chain then they could use the defence of best efforts and should (depending on their argument) receive just an admonishment or reduced penalty (if they’d done some mitigation)