Telecoms Security Bill: draft specific obligations for ISPs and telcos

enter image description here

I wrote last year about the Telecoms Security Bill. The bill, if passed, would be a significant change to the security obligations imposed on provides of electronic communications networks and services. As I noted in that post, the bill has two parts:

  • Changes to the existing security obligations under the Communications Act 2003
  • "Designated vendor directions"

Under the changes to the Communications Act, there is a proposal that:

The Secretary of State may by regulations provide that the provider of a public electronic communications network or a public electronic communications service must take specified measures or measures of a specified description.

In January 2021, the government published a draft of some specified measures, in the draft "The Electronic Communications (Security Measures) Regulations 2021".

One word: oof.

If you provide an public electronic communications network (PECN) or a public electronic communications service (PECS), pay attention, as the requirements look onerous.

I strongly suggest that you read the draft regulations yourself, to see exactly what is being proposed. But here's my summary.

This the header of the draft Regs:

This document contains draft Regulations setting out security measures to be taken by providers of public electronic communications networks and services. It has been made available by the Department of Digital, Culture, Media and Sport to illustrate how the powers in the Telecommunications (Security) Bill (as introduced to Parliament) may be used, and to support early engagement with providers.

So if you have thoughts / input, make your voice heard asap.

Please bear in mind that this is only a draft. It may change, and you may want to try to influence changes!

Network architecture

Everyone who provides a PECN would be required to:

  • build new networks "in a manner which appropriately reduces the risks of security compromises" ("security compromises" is not defined Edit: it is not defined in the draft SI, but is defined in the Bill itself — my mistake)
  • redesign and reconstruct existing networks, so far as is appropriate and proportionate, in a manner which appropriately reduces the risks of security compromises
  • maintain their networks in a manner which appropriately reduces those risks

The "redesign and reconstruct" your existing networks bit is limited to "so far as is appropriate and proportionate", but that still means re-evaluating what you have already deployed, and making changes as necessary.

There is a proposal for a list of what you must do "in particular" (i.e. a non-exclusive list), and, if nothing else, it is going to mean a lot more paperwork / documentation.

There's a fun one stuck at the end of the list:

to ensure that the network provider is able to assess risks to, and where necessary maintain the operation of, a public electronic communications network located in the United Kingdom, without reliance on persons, equipment or stored data located outside the United Kingdom.

Do you have an overseas centralised NOC / monitoring facility?

Reliant on a vendor with third line support outside the UK?

It looks like both of those would need to be reconsidered carefully. (And what a great opportunity for vendors to sell your their premium "UK only" package. For a suitably-increased price, of course.)

Protection of data and network functions

Both PECN and PECS providers would be required:

  • to protect any data stored by electronic means in a manner which is proportionate to the sensitivity of the data, and
  • to protect functions of the public electronic communications network (in the case of a PECS provider, the PECN by means of which the PECS is provided) in a manner which is proportionate to the sensitivity of each function.

As with network architecture, there are specific requirements, including that:

ensure that workstations through which privileged access is possible are not exposed to external networks

and

ensure that tools enabling monitoring or audit cannot be accessed from outside the United Kingdom if they enable monitoring or audit in real time, or of the content of signals

So no VPN connection when at an overseas conference (hah! As if those happen any longer...) to anything which can monitor your network or service.

My ISP, A&A, offers ping graphs for its connections, so users can see at a glance what is going on with their line "in real time". Will that need to be restricted to UK access only? Really?

Monitoring and audit

This gets really fun.

A PECN provider would be required:

  • to monitor and analyse signals entering, transiting or leaving the electronic communications network for the purpose of identifying anomalous activity, and
  • to investigate anomalous activity.

Both PECN and PECS providers would be required to:

monitor, analyse and audit the use of the public electronic communications network or public electronic communications service for the purpose of identifying the occurrence of any security compromise, using automated means of monitoring and analysis where possible.

So far, not too unusual.

Wait for it.

"a record of all access to the network or service"

There is a "particular" requirement:

to maintain a record of all access to the network or service

And to keep hold of this record for 13 months.

I'm sure one of my PECN/PECS-running friends will correct me here, but that sounds an awful lot like an obligation on every provider to maintain a log — for over a year — of every single time someone uses their Internet connection or phone service, and for every single inbound traffic activity.

In other words, recording the signalling data – meta data, in essence — of Every. Single. Packet. Can that be correct?

For example, I run a web server on my Internet connection — you're connected to it now. If I understand correctly, this means that (if this becomes law) your access to this blog page must be logged by my ISP.

If I'm overstating it, it is because there is no definition of "access".

Is it supposed to cover only login attempts to network infrastructure, as opposed to everytime someone tries to access a provider's network or service to pass traffic over it?

("Ah, but what about retention notices under the Investigatory Powers Act 2016?", you say. Part 4 of the Investigatory Powers Act 2016 does not impose retention obligations on all telecommunications operators. Instead, it establishes a framework under which the Secretary of State can impose retention obligations, if they consider it necessary and proportionate to do so, and only if their decision is backed up by a Judicial Commissioner. It does not entail the automatic imposition of a retention obligation on every PECN and PECS provider. So this is significantly different.)

"prevent activities that unreasonably restrict monitoring, analysis and investigation"

Another "particular" requirement I'm struggling to get my head round is this:

to take measures to prevent activities that unreasonably restrict monitoring, analysis and investigation under this regulation

Whose activities — the ISP's own activities, or their users' activities, or all third parties' activities?

What does this mean?

  • Prohibit users from running Tor .onion services, on the basis that it would "unreasonably restrict" the ISP's ability to determine the identity of someone connecting to that service?
  • A ban on inbound traffic from known VPN concentrators?
  • A ban on unregistered pre-paid SIMs, or unregistered free Wi-Fi (as these could restrict the investigation of anomalous activity / security compromises)?

Supply chain

Both PECN and PECS providers would be required to:

identify and reduce the risks of security compromises occurring as a result of the provider depending on other persons (“third party suppliers”) to supply, provide or make available goods, services or facilities for use in connection with the provision of the public electronic communications network or public electronic communications service.

If nothing else, this is going to require documentation of due diligence activity, and new / enhanced obligations in contracts. (rubs hands together, Scrooge McDuck-style)

This includes a particular requirement to:

to reduce dependence on a single third party supplier in the procurement of any equipment in any part of the network that connects directly to customers or performs the associated transmission functions.

Bad luck, Openreach.

Prevention of security compromise and management of security permissions

Both PECN and PECS providers would be required to:

take such measures as are appropriate and proportionate to prevent the occurrence of security compromises in relation to the public electronic communications network or public electronic communications service.

There's some good, if rather micro-managerial, stuff here:

to require two or more independent credentials to be present in order to access security critical functions

Remediation and recovery

Both PECN and PECS providers would be required to:

take such measures as are appropriate and proportionate for the purposes of limiting the adverse effects of security compromises and enabling the provider to recover from any security compromises

Again, there's a UK territoriality aspect here, as some of what is required — in terms of storing information — must be carried out within the UK.

Testing

Both PECN and PECS providers would be required to:

carry out, or arrange for another person to carry out, such tests in relation to the network or service as are appropriate and proportionate for the purpose of assessing the resilience of the network or service to the risks of security compromises occurring. ... The tests must involve simulating, so far as is possible, techniques that might be expected to be used by a person seeking to cause a security compromise.

Mandatory red teaming.

But it's going to be challenging for small providers (to whom these regulations would apply):

The network provider or service provider must ensure, so far as is reasonably practicable ... that the manner in which the tests are to be carried out is not made known to the persons involved in identifying and responding to security compromises in relation to the network or service or the persons supplying any equipment to be tested

Hopefully, the "so far as is reasonably practicable" can do sufficient heavy lifting here.

Assistance

I'm not sure what this bit means. A PECS provider must:

  • not do anything which impedes the taking by the relevant network provider of a measure required by these Regulations or the efficacy of a measure so required, and
  • must, when requested by [a network provider providing the service by means of which the PECS is provided], provide that network provider with such assistance as is proportionate in the taking of any measure required by these Regulations.

There's no mention of cost, so expect an argument as to whether a PECS provider is required to provide this proportionate assistance for free or not. Probably something to be baked into contracts.

There's another slightly weird one in this section too:

A network provider or service provider must seek appropriate assistance from other persons where necessary to reduce the risk of security compromises to the provider’s public electronic communications network or public electronic communications service.

What does it mean? As a provider, how do you know if you have met this requirement or not? Would it be mandatory to hire a lawyer to make sure your contracts are suitable? Engage with the NCSC? Pay for outside help?