New Telecoms Security Bill – first thoughts
Locations
Yesterday a new Telecoms Security Bill was introduced into Parliament in the UK. The Government claims it gives unprecedented new powers to boost the security standards of the UK's telecoms networks and services and remove the threat of high risk vendors. Some of the key features of the new bill are as follows:
1. Broader scope of security obligations for providers
The obligations on providers require them to take appropriate and proportionate measures for:
(a) preparedness (i.e. identifying the risks of security compromises occurring; reducing the risks of security compromises occurring and preparing for the occurrence of security compromises);
(b) prevention of adverse effects on the network or service or otherwise arising from security compromises; and
(c) remedying and mitigating adverse effects that arise.
2. Broad definition of a "security compromise"
Under the previous telecoms security regime in the Communications Act, the protections focussed on risks to the security of networks and services, risks to end users, risks to interconnection and risks to availability. Under the new regime, the scope of what constitutes a "security compromise" has been broadened. While it still covers key risks to the security and confidentiality of signals conveyed and data stored on the network, it arguably extends beyond "security" compromises in the strict sense to a broad range of things that could impact on performance without necessarily compromising security. For example, a security compromise will include:
- anything that compromises the availability, performance or functionality of the network or service;
- anything that enables unauthorised access to, interference with or exploitation of the network or service – meaning that weaknesses in the networks or services will themselves be regarded as security compromises, whether or not they are exploited by attackers or cause actual security incidents;
- anything that occurs in connection with a network or service and causes a connected security compromise (i.e. to another network or service).
So a wide range of weaknesses or vulnerabilities will constitute security compromises even if confidentiality of signals or data on that network or service are not themselves compromised.
3. The Government may set out specific measures to be taken in regulations and may issue designated vendor directions
The Government has a broad power to make secondary legislation requiring provides to take specified measures or measures of a specified description, provided that the Secretary of State considers it to be appropriate and proportionate for the preparedness against security compromises, prevention of adverse effects from security compromises and remediation or mitigation of adverse effects. It is unclear at this stage what those measures might be and providers may well be concerned about the impact this could have on their networks and network architecture without additional safeguards being put in place.
The Government may also give directions about designated vendors to impose requirements on providers with respect to the use of goods, services or facilities supplied by a designated vendor specified in the direction. This is clearly to enable the Government to impose the type of decisions they have been making with respect to the involvement of high risk vendors in future 5G and full fibre networks.
4. New codes of practice will set out guidance on measures to be taken
The Government has a broad, but supervised power, to issue codes of practice giving guidance on measures that should be taken to comply with the new requirements. Before issuing a code of practice, the Secretary of State must publish a draft and consult with Ofcom, providers and other appropriate stakeholders and lay the code before Parliament (among other things). The codes of practice will not be strictly be legally binding (a failure to comply will not itself make a provider liable to legal proceedings before a court or tribunal) but will be taken into account by Ofcom or in any legal proceedings where relevant to questions at issue. If requested by Ofcom, providers must explain failures to follow the codes of practice.
5. Broad duties to inform users and Ofcom of risks and occurrences of security compromises
Where there is a significant risk of a security compromises occurring, providers will need to take such steps as are reasonable and proportionate to bring the information to the attention of users who may be adversely affected. Likewise, Ofcom must be informed as soon as reasonably practicable of any security compromises that have significant effects on the operation of the network or service or, rather broadly, of any unauthorised access to, interference with, or exploitation of the network or service that puts any person in a position to be able to bring about a further security compromise that would have a significant effect on the operation of the network or service. Importantly, Ofcom must inform the Secretary of State of serious security compromises and may inform a range of other persons about the risk of or occurrence of security compromises.
6. Ofcom will have new powers and duties to assess compliance
Ofcom's powers will extend to giving assessment notices to providers to impose duties to undertake or allow a range of actions to be undertaken including testing and inspection of networks, services, premises, equipment, documents and information. This may be challenging for providers to pass through their supply chains. Strikingly, it is the provider that must pay the costs reasonably incurred by Ofcom in connection with an assessment.
7. Ofcom will have significant enforcement powers and may allow civil suits
There is a tiered system for penalties for contraventions with headline fines of 10% of relevant turnover (in the case of designated vendor directions) or £100,000 per day for other contraventions. Lower level fines also apply depending on the contravention. The Secretary of State has the power to change the level of various fines by regulation (but not the highest fines levied up to 10% of relevant turnover).
Importantly, many of the new security obligations are duties owed to every person who may be affected by a contravention and persons can bring actions for loss or damage with Ofcom's consent. It will be a defence for providers to show that they took all reasonable steps and exercised all due diligence to avoid contravening the duty in question.
Conclusion
At this stage the Telecoms Security Bill is only in draft form. It will be interesting to see if Parliament will seek to limit some of the broad powers that are conferred under the Bill or proceed to enable to the Government to implement its policy on telecoms security.
Much of the Bill will be welcomed by the Government, but providers are likely to have concerns at how practical it will be to comply, particularly with so much of the detail left to secondary legislation and codes of practice which have not yet been developed or tabled.
Many will see the requirements build on existing security requirements in legislation like the GDPR. But the expansion of the scope of security issues this covers, along with the increased burden for communications providers to comply with specified measures and codes of practice and to pay Ofcom's costs of assessments, will be concerning to the industry. Providers may face difficulties flowing down security standards and audit requirements into the supply chain and making sure that they are in a position to demonstrate their own compliance with the legislation.
Some significant questions will also arise in terms of how the new Telecoms Security Bill will align with other legislation impacting on the security of communications networks and services, such as the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003, for which the ICO is the competent regulatory authority.