Telecoms security in the UK: proposal for new regulations and code of practice
Following the passage of the Telecommunications (Security) Act in November 2021, the government has launched a new consultation and survey as part of the new UK security framework’s next stage. A reminder that the new security framework for the UK’s telecoms networks and services is established through the TSA and has three layers:
- Strengthened overarching security duties on public telecoms providers. These are set out in new sections 105A and 105C of the Communications Act 2003 (“the Act”) as amended by the TSA.
- Specific security measures
- Technical guidance in the Code of Practice
It is the latter two layers that industry can now consider and respond to.
Firstly, DCMS has published an updated draft statutory instrument (SI) entitled “The Electronic Communications (Security Measures) Regulations 2022” (draft regulations). The SI sets out the specific security measures to be taken in addition to the overarching duties in the Act, and has been amended from the January 2021 draft regulations that techUK responded to.
The significant changes to note are:
- Regulation 5 - Protection of tools enabling monitoring and analysis: contains requirements to protect monitoring and analysis tools by ensuring that providers account for location-related risks. The schedule in the draft regulations lists certain high-risk locations where security capabilities that monitor and analyse UK networks and services must not be located. Security capabilities must also not be accessible from those locations. Where providers host capabilities in other non-UK locations, they must identify and reduce the risks of security compromise occurring as a result of monitoring and analysis tools being stored on equipment in those locations.
- Regulation 6 – Monitoring and analysis: contains requirements that centre on using monitoring and analysis tools to identify and record access to the most sensitive parts of the network or service (defined as ‘security critical functions’). This includes securely retaining logs relating to security critical function access for at least 13 months, as well as having systems to ensure providers are alerted to and can address unauthorised changes to the most sensitive parts of the network or service. Previously, this regulation applied to storing all data for 13 months.
- Regulation 11 – Reviews: The draft regulations and the draft code of practice measures relating to security reviews are intended to ensure providers demonstrate proper oversight and learn about the security of their networks and services so that they are incentivised to make improvements that keep pace with the risks they face.
- Regulation 12 – Patches and updates: DCMS has clarified this regulation following industry feedback, and it now contains requirements standardising best practice, such as rapid patching aimed at - wherever possible - fixing any new vulnerabilities within 14 days of patches becoming available.
- Regulation 16 – Exemption for micro-entities: Nothing in the draft regulations 3 to 15 applies in relation to a network provider or service provider that is a micro-entity. However, a micro-entity that is a third-party supplier to a larger organisation (see more in Tiering below) will have to implement the same security measures.
Draft Code of Practice
Published for the first time, though incorporating the NCSC’s telecoms security requirements (TSRs), the code of practice provides detailed technical guidelines to large and medium-sized providers of public electronic communications networks and services (PECN and PECS) on the government’s preferred approach to demonstrating compliance with the duties in the TSA and the requirements within the regulations, outlined above.
Structured in three parts, the Code provides an introduction and background information on the guidelines, including its legal status within the new security framework and how it applies to telecoms providers. Section 2 explains the key concepts that need to be understood by all providers when applying the specific security measures contained within the draft regulations.
Section 3 contains the technical guidance measures and maps each individual guidance measure to the relevant security measures in the regulations. It also sets out the implementation timeframes for the technical guidance measures, which certain providers are expected to follow. techUK understands that the mapping of measures to regulations in Section 3 is indicative, and DCMS welcomes feedback on this mapping in responses to its consultation.
Industry finally has confirmation of the government’s approach to tiering with regards to the Code of Practice. Using turnover as a proxy for scale and value of services, and therefore security risk and impact, telecoms providers will be tiered as follows:
- Tier 1 providers would be the largest organisations providing public networks and services for which a security compromise would have the most widespread impact on network and service availability, and the most damaging economic or social effects (relevant turnover in the relevant period of £1bn or more).
- Tier 2 providers would be those medium-sized companies providing networks and services for which security compromises would have an impact on critical national infrastructure (CNI) or regional availability with potentially significant security, economic or social effects (relevant turnover in the relevant period of more than or equal to £50m but less than £1bn).
- Tier 3 providers would be the smallest companies in the market that are not micro-entities. While security compromises to their networks or services could affect their customers, if those networks and services do not support CNI such compromises would not significantly affect national or regional availability (relevant turnover in the relevant period is less than £50m).
DCMS is particularly keen to receive industry feedback on its proposed approach to tiering in the draft code. There is no differentiation between PECN and PECS. Turnover here uses the same definition of relevant turnover as used to establish Ofcom’s administrative fees. Tiering has an impact on implementation timelines (see below).
It is expected that the draft regulations will commence on 1 October 2022. The draft code outlines which measures will be expected to be implemented (between 31 March 2023 and 31 March 2028), and by which tier of provider. Some measures are already underway, as industry has received the now-defunct TSRs. However, clear deadlines are given: measures that are easier and less resource-intensive to implement are earlier, measures that are most complex and resource-intensive will come last. Tier 2 providers are given two years more to comply than Tier 1, however providers are encouraged to act as soon as is practicable on all measures.
The government proposes that the regulations and code of practice should address the particular challenges of securing ‘legacy’ equipment and systems, for example, by including requirements and measures to ensure the provision of lifetime support to help maintain security. Government is proposing to not include a blanket exemption of such equipment and systems from being covered by the regulations or measures in the code of practice.
The consultation on the draft regulations and code of practice is now open for ten weeks (deadline 23:45 on 10 May 2022). Responses to the consultation should be submitted to [email protected]
Impact of the regulations and code of practice on providers
The final regulations and code of practice will have a significant impact on the public telecoms providers to which they apply. An updated cost survey is provided for completion alongside this consultation on the draft regulations and code.
The survey seeks feedback by 11:45pm on 12 April 2022 on the cost impacts of the draft regulations and code of practice. Data gathered through the survey will be used to update the impact assessment and inform development of the final regulations and code of practice.
DCMS is particularly keen to hear from smaller providers and businesses that resell services in this survey. After the survey closes, DCMS will carry out qualitative research. It is worth noting that businesses that participated in the 2021 impact survey, your answers will be saved with the option to update as necessary.
For further info on concurrent activity by NCSC and Ofcom, please get in touch with Sophie James.
On 8 March 2022, UK regulator, and enforcement agency for the Telecommunications (Security) Act's security framework Ofcom published a package of guidance for consultation.
Under the new framework, Ofcom has a duty to ensure providers comply with their security duties, including as to the availability, performance or functionality of the network or service; and it gives Ofcom the powers to proactively monitor and enforce these duties.
Ofcom has set out the procedures it expects to follow in carrying out its monitoring and enforcement activities, the regulator has also proposed new guidance on which security compromises providers are expected to report to Ofcom.
It is also proposing to update existing guidance on network resilience to reflect the new framework, and draft regulations and Code of Practice, on which the UK Government is currently consulting.
The deadline for reponses to the Ofcom consultation is 17 May 2022. Ofcom will publish its final procedures and guidance in the autumn, before the commencement of the TSA in October 2022.
techUK's Communications Infrastructure and Services Programme will be leading the response to the consultation on behalf of our telecoms members. If you are interested in contributing, please join our Telecoms Security and Diversification Working Group. Further details will be shared with this group on a regular basis.