What could the Telecommunications (Security) Bill mean for ISPs and telcos?
The first draft of the Telecommunications (Security) Bill was published last week.
It's only a bill at this point – it's still going through the legislative process — and so may change before it becomes law, indeed if it becomes law. (But there's a lot of political pressure here, so it is likely to become law, in some shape or form.)
If you run an ISP or telco, it's worth keeping an eye on this.
What the bill covers
The bill has two main parts to it:
- changes to the existing duties under the Communications Act 2003 in respect of security; and
- "designated vendor directions", which can be used to impose prohibitions or restrictions on a broad range of providers to
Changes to the existing security obligations under the Communications Act 2003
The imposition of security obligations on ISPs and telcos is not new — those obligations have been around for years now — but the bill makes some significant changes to them.
Do they apply to me?
If you were hoping that the obligations in the bill apply only to bigger networks or services, you're out of luck.
The general obligations relating to security apply to all providers of public electronic communications networks or public electronic communications services.
What are the measures?
I'm not going to comment on each and every measure, and you can read the detail for yourself here.
As headlines, they are:
- a duty to take "appropriate and proportionate" security measures relating to "security compromises"
- a duty to take specified security measures, set out by the Secretary of State in regulations
- a duty to take measures in response to security compromises (i.e. when something has happened)
- a duty to inform users of a significant risk of a security compromise, and to inform Ofcom of a security compromise
It doesn't apply to state-sanctioned backdoors
If you were thinking "aha, an obligation to impose security measures means I could not introduce backdoors / vulnerabilities / changes to comply with targeted interception or other obligations", you're out of luck.
It is not a defence to say that you are unable to comply with obligations imposed on you under the Investigatory Powers Act 2016 because of your duties in respect of security under the Communications Act 2003. If you are compelled to implement them, state-sanctioned backdoors take priority.
A non-binding code of practice on security, but you may have to explain why you haven't complied with it
The Secretary of State is empowered, but not required, to issue codes of practice giving guidance as to the measures to be taken by providers under these duties.
A code of practice is not legally-binding, in the sense that non-compliance does not of itself make the provider liable to legal proceedings before a court or tribunal.
However, if Ofcom has reasonable grounds for suspecting that a PECN or PECS provider is failing, or has failed, to act in accordance with a provision of a (non-binding) code of practice, Ofcom can demand a "statement" from the provider as to whether they are complying or not, requiring them to "explain the reasons" for their answer.
Civil liability for contravention of security duties
Here's a fun one.
In addition to regulatory sanctions, the bill makes express provision for ISPs and telcos to be sued by anyone affected by a breach / contravention of duty:
A duty imposed by or under any of sections 105A to 105D and 105J on a provider of a public electronic communications network or a public electronic communications service is a duty owed to every person who may be affected by a contravention of the duty.
Not just your customers (in respect of whom you may be able to limit your liability contractually for the impact of a breach, since that is not excluded by the current draft).
Every. Person. Who. May. Be. Affected.
You get compromised, and an attacker uses that compromise to pivot onto another network / service, and so on and so on? It looks like the initial point of compromise could, if they have breached any of their duties relating to security, be liable to everyone downstream who has been affected.
There is a slightly odd aspect to this, in that someone wishing to bring a claim needs to get Ofcom's consent, and that Ofcom can impose conditions on their consent. Cue plenty of litigation as to whether Ofcom has acted correctly in giving consent, or not...
"Designated vendor directions"
In addition to the general obligations on PECN and PECS providers, the bill contains a provision permitting the Secretary of State to give what is to be known as a "designated vendor direction” to a public communications provider.
What is a "designated vendor direction"?
A designated vendor direction is a tool to impose requirements on a public communications provider with respect to the use of goods, services or facilities supplied, provided or made available by a designated vendor specified in the direction.
A direction would set out the public communications provider or providers to which the direction is given, the reasons for the direction (unless specifying reasons in the direction would be contrary to the interests of national security), and the time at which the direction comes into force.
In essence, a tool which enables the SoS to prohibit, or restrict, the use of certain vendors, or impose limitations and conditions.
Who is a "public communications provider"?
This is broader than the already-broad notion of providers of PECNs or PECS, since it also includes:
a person who makes available facilities that are associated facilities by reference to a public electronic communications network or a public electronic communications service
(This is an existing definition, in s151 Communications Act 2003.)
When can the SoS give a designated vendor direction?
The Secretary of State may give a designated vendor direction only if they consider that the direction is necessary in the interests of national security, and that the requirements imposed by the direction are proportionate to what is sought to be achieved by the direction.
Duty to consult and notify
Before the SoS can give a designated vendor direction, they must consult the public communications provider or providers which would be subject to the proposed direction, and the person or persons who would be specified as a designated vendor or vendors, so far as it is reasonably practicable to do so.
This duty to consult does not apply if or to the extent the Secretary of State considers that consultation would be contrary to the interests of national security.
In addition to the duty to consult, the SoS is required to notify
Do I have to comply with a designated vendor direction?
A public communications provider to which a designated vendor direction is given must comply with the direction.
In addition to doing whatever the designated vendor direction requires, the SoS can require the public communications provider to prepare a plan setting out:
- the steps that the provider intends to take in order to comply with such requirements imposed by the direction as the Secretary of State may specify; and
- the timing of those steps
and to provide the plan to the Secretary of State.
There are various penalties for different breaches, all with quite big numbers attached to them.