Significant change in communications security obligations for network and service providers

Background

Following the introduction of the Telecoms (Security) Bill on 24 November 2020,(1) which has undergone the first reading in the House of Lords, details of key secondary legislation have been released – namely, the draft Electronic Communications (Security Measures) Regulations 2021.

The draft secondary legislation continues in the same vein as the Telecoms (Security) Bill. Its scope is far reaching and it imposes considerable requirements on operators of networks as well as service providers either in or with any operations in the United Kingdom.

What new requirements does the draft legislation propose?

The proposed rules will significantly affect any international operations for companies such as BT and international operators with a presence in the United Kingdom. They contain highly restrictive (if somewhat unclear and inconsistent) provisions about the need for a UK locus for compliance and avoiding dependency on overseas parties or services. This is not how most networks operate and will prove highly challenging for cross-border network operators and those with service elements overseas.

The proposed rules also set out:

extensive audit obligations;
duties to ensure no undue dependence on a single provider; and
obligations to flow down certain obligations to key suppliers.

Finally, there are governance obligations, with certain security functions now having to be allocated at board level.

The Internet Services Providers' Association (ISPA) highlighted their concern that the new framework:

is moving towards a highly prescriptive, burdensome and inflexible regime which may introduce localised measures for multinational companies' and 'such localised measures increase cost and burden, and raise the risk of duplication.(2)

The new rules are some of the most far-reaching rules globally and there must be much greater engagement with the industry on their practical application. The moves to recognise some tiering of the application of the rules depending on the scale of the operator is helpful but do not detract from the fundamental misunderstanding of modern communications operations that operate across borders and the costs of the proposed rules. Further, the authorities must consider the attractiveness of the United Kingdom as a hub for communications providers before the rules are implemented in their present form.

Who will the new obligations affect?

The new obligations apply to both network and service providers, with slightly broader obligations on network providers.

The definitions of such providers follow the Communications Act 2003, whereby:

a 'network provider' means a provider of a public electronic communications network; and
a 'service provider' means a provider of a public electronic communications service.

There are also cooperation mechanisms built in where a network and service provider work in parallel and have to coordinate to deal with issues under the new rules. This makes sense in the increasingly interconnected communications ecosystem.

What are the core provisions?

If passed, some of the core provisions include:

far-reaching duties on network architecture (ie, security by design) – including designing, constructing and maintaining any networks or network elements with the utmost account to security;
obligations to retain, for at least 13 months, all data relating to:
- any access to the network or service; and
- network monitoring of all signals entering, transiting or leaving the network for the purpose of identifying and investigating anomalous activity by the operator;
monitoring and auditing duties;
duties to review all aspects of the supply chain and analyse and minimise any dependencies on third parties;
duties which involve the prevention of security compromises and the management of security permissions; and
governance and accountability duties.

While some of the above provisions are restricted to new-build infrastructure, this is not the case for most of them.

It has recently been announced that there will be some categorisation by the scale of the operator via a proposed code of practice (see "Next steps and adoption") but the proposed rules still rank as some of the most extensive globally. All operators will have to take steps to comply and be able to demonstrate compliance.

Network architecture

Network operators will have to:

design, construct and maintain any new network in a manner that reduces the risk of security compromises. Operators must redesign and reconstruct any existing parts of the network (ie, parts of the network which exist before the new legislation takes effect) to reduce the risk of security compromises subject to appropriateness and proportionality;
conduct a detailed analysis of risks to the entire network and its functions, focusing on:
- whether the functions contain personal data;
- whether the functions are security-critical functions;
- the location of the functions or data relating thereto; or
- the exposure of the functions to external signals;
take appropriate measures in the procurement, configuration, management and testing of equipment to ensure its security and the security of the functions carried out thereon; and
ensure that the network provider can assess risks to, and where necessary maintain the operation of, a network located in the United Kingdom.

Monitoring and auditing

Out of all of the proposed new rules, the duty to retain data on access to the network (or service) for 13 months is attracting the most attention. While this duty does not apply to the content of such access activity but the information on the access itself, this is still a huge potential burden, particularly for internet service providers and multi-national network operators. This rule also applies across all infrastructure and services and not just for new-build infrastructure.

Throughout the bill, there are extensive United Kingdom-only reliance provisions. However, it is hard to see how these would work in practice and they are internally inconsistent in the terms and obligations applied.

On the protection of data and network functions (Clause 4 (3)), the rules state that operators must ensure that tools which enable monitoring or audit cannot be accessed from outside the United Kingdom if they enable monitoring or audit either in real time or of the content of communication or transmission of signals. Given that this is what most aggregators or network operators do to ensure effective service to their clients, this seems an overly onerous provision.

Another area of inconsistency is that the obligations on network architecture require operators to assess the risk to and, where necessary, maintain its network "without reliance on persons, equipment or stored data located outside the United Kingdom" (Clause 3(3)(f)). This is a high threshold for international network operators to meet and must be clarified.

The obligations enshrined in Clause 5(3) are far ranging and merit quoting in full:

The duty [to monitor, analyse and audit] includes, in particular, a duty — (a) to maintain a record of all access to the network or service (but not of the content of signals), (b) to have in place means and procedures for producing immediate alerts of all manual amendments to security critical functions, (c) to analyse promptly all activity relating to security critical functions of the network for anomalous activity, (d) to ensure that all data required for the purposes of a duty under paragraph (1) or subparagraphs (a) to (c) is held securely for at least 13 months.

Again, this is backed up by an anti-overseas provision – defined in a different way to the other provisions – which states that the duty extends to an obligation on the network operator "to avoid dependence on persons, equipment or stored data located outside the United Kingdom to monitor and audit the use of networks located in the United Kingdom" (Clause 5(3)(h)).

Supply chain

As expected, the rules contain provisions on supply chain elements that materially impact Huawei. The other provisions regarding supply chains have been lost in the debate and put far-reaching obligations on network operators to identify and reduce the risks of security compromises (Clause 6). The obligations include extensive duties to review all aspects of the supply chain to ensure that there are no exposures as well as (most likely) renegotiate relevant existing contracts to include the mandatory obligations.

Under the proposed rules, operators will have to:

identify and reduce the risks of depending on third-party suppliers in relation to any goods, services or facilities for use in connection with the networks or services. Such assessment must cover all risks of the relevant supply chain, including risks which arise during the entire lifetime of any contractual arrangement with third-party suppliers and the underlying supply chains of such suppliers;
ensure, through contracts or otherwise, that:
- their suppliers take appropriate measures to identify, disclose and reduce the risks of security compromises to the operators' networks or services which arise from the use of the suppliers' products and services;
- where a supplier is itself a network provider and is given access to an operator's network or to sensitive data, the supplier takes measures equivalent to those that the operator must take in relation to its own network;
- their suppliers take appropriate measures to enable the operator to monitor all activity undertaken by the suppliers on the operator's network;
- their suppliers take appropriate measures to cooperate with the operator on the resolution of security incidents; and
- their suppliers take appropriate measures regarding their own suppliers or sub-contractors;
ensure that all network connections and data sharing with third-party suppliers are managed securely; and
have in place written contingency plans (ie, plans for migrating or transitioning from contracts with third-party suppliers while maintaining the security of the networks or services).

Further, network providers will always have to have and regularly review a written plan to maintain the normal operation of the network if supply or support from a third-party supplier is interrupted.

In relation to SIM cards, service providers (not just network providers) will have to monitor and reduce the security risks relating to subscribers' SIM cards and replace them if it is appropriate to do so to reduce such risks.

Finally, Clause 6(2)(e) contains another requirement that will prove challenging – namely, that the party will have to:

reduce dependence on a single third party supplier in the procurement of any equipment in any part of the network that connects directly to customers or performs the associated transmission functions.

This requirement will apply even if all of the reviews set out in the preceding sections have been undertaken. Further, there are no proportionality or cost caveats to this obligation.

Prevention of security compromises and management of security permissions

The obligations regarding the prevention of security compromises start off promisingly, with a proportional and appropriate caveat. However, they then dive into wide-ranging detail, which will require parties to take specific steps, including requiring that:

two or more independent credentials are present to access security-critical functions;
changes are overseen;
default criteria are avoided; and
compromise protections are regularly reviewed.

Clause 7(5)(f) further establishes that network and service providers must consider the user's location when determining their security permission. However, it is unclear what constitutes an appropriate location. It is also unclear whether a home working environment would be caught or whether the provision aims to target overseas access.

Governance and accountability

Finally, the legislation clarifies that network and service providers must treat security as an essential business function and put in place robust governance processes. These obligations include the need to have a person or committee at board level with responsibility for security management and policies and resourcing thereof. There must be a review of risks every 12 months recorded in a written assessment.

The bill puts great emphasis on real competences of human resources and sufficient budgets to source and train them. The credentials of key individuals must be set against the requirements in the bill, albeit these have no nationality requirements (eg, in India).

Next steps and adoption

The government has proposed categorising operators into three tiers depending on their size (ie, national, medium and small operators). These tiers will determine the extent to which they will have to follow the code of practice and the level of Ofcom oversight to which they will be subject.

The code of practice will set out detailed security measures which operators can take to demonstrate compliance with their duties under the bill and secondary legislation. The code will provide guidance on how, and to what timescale, certain providers should comply with their legal obligations. For example, it will set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers' data. Operators would be expected to demonstrate compliance with the security duties by complying with this code.

The code of practice will apply to both large, national-scale telecoms providers – whose availability and security is critical to people and businesses across the United Kingdom – and medium-sized telecoms providers. The difference will be the level of Ofcom oversight, with the larger providers being subject to intensive Ofcom monitoring and medium-sized operators being subject to only some oversight and monitoring.

The smallest telecoms providers, including small business and micro-enterprises, will have to comply with the law. It is not anticipated that the code of practice will apply to such providers but they may still be subject to monitoring and oversight from Ofcom.

The draft secondary legislation may be subject to further changes. According to the government, the draft has been made available to illustrate how the government may use its new powers under the UK Telecoms Security Regime and "to enable early engagement with providers during the passage of the Bill".(3) The bill has undergone the first reading in the House of Lords and, if it is adopted as expected, the secondary legislation will come into force later in 2021.

However, there is a concern that there has been insufficient planned consultation prior to the secondary legislation being introduced. Due to the extent of the obligations imposed on network and service providers, and the scope of those which it will effect, it is essential that such legislation is implemented correctly.

Endnotes

(1) For further information please see "UK to go for one of the toughest telecoms security regimes in the world".

(2) For further information please see "Telecommunications Security Bill: ISPA Bill Committee Submission".

(3) For further information please see the government's website.

Register now for your free, tailored, daily legal newsfeed service.

Significant change in communications security obligations for network and service providers

Filed under

Topics

Organisations

Popular articles from this firm

Artists Rights Alliance publishes open letter addressing concerns about Artificial Intelligence *

Cross border data protection and privacy enforcement: ICO signs multilateral agreement *

Flexible Working: New rules come into force *

Non-Disclosure Agreements: Government announces legislation to be introduced to crack down on misuse *

Private members’ bill to regulate AI receives second reading *

Related practical resources PRO

Related research hubs