Having now caught up with the recent publication of the Telecommunications (Security) Bill in the UK, we are wondering whether or not the Department of Culture, Media and Sport (DCMS) and the Office of Communications (Ofcom) are relocating to Hampton Court Palace.
Hampton Court was the opulent seat of King Henry VIII, the man often credited with the concept of the divine right of Kings to rule. Given the draconian provisions of the new Bill – which is all the more remarkable for being a notable departure from the liberal telecommunications trading environment the UK is known for – such surroundings may be more conducive to such authoritarian leanings.
Wow! What is this new bill?
In recent times, the UK Government has been working on measures with respect to national security and telecommunications networks. The major headline which we are all aware of, in many jurisdictions, is the presence of Huawei, but that’s only one part of the puzzle.
If passed into law (and it appears to be on a fast track with its second reading coming just days after the first), then the headlines are;
- A broad requirement for public electronic communications networks (PECN) and public electronic communications services (PECS) to take proportionate and appropriate measures to identify the risks of security compromises, reducing said risks and preparing for their occurrence.
- A security compromise will be anything that compromises the availability, performance or functionality of the network, any unauthorised access, interference or exploitation (or anything that enables it), anything that compromises the confidentiality of signals or for them to be lost, or unintentionally altered.
This is very wide ranging indeed. The defintions of PECS and PECN are already established in the Communications Act 2003;
"electronic communications network" means a transmission system for the conveyance, by the use of electrical, magnetic or electro-magnetic energy, of signals of any description
“electronic communications service” means a service consisting in, or having as its principal feature, the conveyance by means of an electronic communications network of signals, except in so far as it is a content service.
In other words, everyone is potentially in scope to comply – from the major UK networks such as BT and Vodafone, through to the established by comparatively smaller ITSPs such as Voipfone through to the IT maintainer that has started to offer IP Telephony as a value-add service.
Once in scope, the effort here is substantial – any risk to the availability of a network or the confidentiality of the content. Absent any form of explanatory guidance (which we will come on to), the obvious questions are whether unencrypted data traffic will continue to be lawful or, in terms of voice, whether or not public-IP as a means of interconnect meets these criteria.
That, and a very literal reading would suggest that packet loss, a relatively standard phenomenon, is captured as a “security compromise”.
Code of Practice
At some point, DCMS, in consultation with affected PECN/Ss and Ofcom will publish a Code of Practice outlining what measures it expects to be taken in relation to those requirements summarised above. You would be forgiven for thinking that provides some succor; while such an exercise would be expected to generate something sensible, the Government is seeking to give itself the power in two preceding sections in the Bill to provide that “a provider of a [PECN or PECS] must take specified measures or measures of a specified description”. Such power would be how to mitigate perceived threats, or, respond to them when they are occurring.
Thankfully, the Bill continues to provide for a PECN/S not complying with the Code of Practice not automatically liable for proceedings – we assume to allow for PECN/Ss to go further and better. However, all PECS/PECNs will have to submit to audits, inspections and have to explain any non-conformity – under threat of daily fines that could rack up to £10m, Oh, and they’ll have to pay for whatever costs are “reasonably” incurred by Ofcom in said inspections or audits – now is the time to buy shares in those large bloated multinational consultancies with the fancy offices!
Control of the narrative
If the worst happens and you do find yourselves in the spotlight for an incident, you may seek solace in controlling the narrative. In a section that will send shivers down the spine of any PECN/S’ public and media affairs departments, the Bill provides for Ofcom to be able to inform your users, and indeed the world, of what is going on and what the impact might be.
Two Weeks' Grace
If, after you’ve shelled out your hard-earned revenue to line the pockets of a Partner of a well-known LLP that poked and prodded around your network, Ofcom don’t like what they see, you could end up with a remedial notice. Upon receipt of this, you could have as little as fourteen calendar days to fix it, or file at the High Court to overturn it. Thankfully the act of filing acts as an automatic “injunction” pausing the requirement to comply until the case is determined, but on the assumption that non-conformities are likely to be substantial, this could place significant pressure on your operations to deliver in short timescales. This becomes especially acute where you may be forced to announce to your user base (under another provision in the Bill) that you have a security compromise – where there is a “significant risk of a security compromise” to “take such steps as are reasonable and proportionate for the purpose of bringing the relevant information, expressed in clear and plain language, to the attention of persons who use the network or service and may be adversely affected by the security compromise”.
Guilty Until Proven Innocent
In keeping with our autocratic Tudor theme, the Bill also provides for Ofcom to be able to mandate “interim steps” a provider must take even before Ofcom has commenced any enforcement action.
The Bill introduces a clear path by which (if Ofcom give such a Decree to allow the peasants to launch such proceedings from their new throne) the affected users of a security compromise can start a claim for any loss or damage.
The immediate thought that springs to mind is the transfer of risk of the cost of unauthorised access to a telephony system to the user in contracts following the Voiceflex case could become quite interesting. The defence allowed for in the Bill is “the provider to show they took all reasonable steps and exercised all due diligence to avoid contravening the duty in question” [our emphasis].
Legalese 101 – “best endeavours” and “all reasonable steps” are high thresholds.
Designated Vendors (and Persons)
This will be no surprise – the Government is seeking to ban equipment vendors from networks.
Anyone that has watched any procedural drama ever made will be aware that “national security” trumps everything and provides for a certain obfuscation. That is true here – national security will be the justification, which, as you would expect, comes with the get-outs for transparency on reasoning, for the Government to ban any vendor (including their services and facilities), without notice, from UK networks – if it’s proportionate to do so. Furthermore, a similar, but separate, provision applies to persons, not just vendors.
Is it really that bad?
Granted, we have taken a slightly flippant approach to a literal reading of the draft Bill prior to the Parliamentary process. The long standing concepts in law of reasonableness and proportionality referred to in the Bill should fetter the the most outlandish possible outcomes, with the availability of judicial oversight if the worst does happen.
However, some of this fettering – the Code of Practice and other guidance and documentation, has yet to be published. The Bill, if it eventually receives Royal Assent, will give these documents significant legal weight – but these significant and operative parts won’t have the same Parliamentary scrutiny as the Bill.
What has yet to be explained in the discourse around the bill to date is precisely why the provisions (that will be repealed if the Bill becomes law) are insufficient;
(1) Network providers and service providers must take technical and organisational measures appropriately to manage risks to the security of public electronic communications networks and public electronic communications services.
(2) Measures under subsection (1) must, in particular, include measures to prevent or minimise the impact of security incidents on end-users.
(3) Measures under subsection (1) taken by a network provider must also include measures to prevent or minimise the impact of security incidents on interconnection of public electronic communications networks.
(4) A network provider must also take all appropriate steps to protect, so far as possible, the availability of the provider’s public electronic communications network.
The Government has laid out in detail why legislation and policy with respect to the security of telecommunications are generally needed (and you will be hard-pressed to find anyone reasonable that disagrees with the importance of it) – but not, to our knowledge, why the above needs to be replaced by such authoritarian and draconian seeming measures.
There is also the recognition that not all providers have the resources of global telecommunications companies and may be approached in a lighter-touch manner, however, it is important to note two things – firstly, this is a Government promise, not embedded in the Bill. It can be reneged upon at any time. Secondly, the Government has made it clear that the smaller operators still have to comply with the law, just that the Code of Practice might not be applied to them.
How, precisely, are less well resourced operators meant to comply with the very broad and far-reaching legal requirement quoted at the start of this piece, without reference to the consulted-upon Code of Practice?
The code of practice will apply to the largest national-scale (‘Tier 1’) telecoms providers, whose availability and security is critical to people and businesses across the UK. These providers will also be subject to intensive Ofcom monitoring and oversight.
The code of practice will also apply to medium-sized (‘Tier 2’) telecoms providers, who will be subject to some Ofcom oversight and monitoring. These providers are expected to have more time to implement the security measures set out in the code of practice.
The smallest (‘Tier 3’) telecoms providers, including small businesses and micro enterprises, will need to comply with the law. It is not anticipated that the code of practice will be applied to Tier 3 providers, but these providers may be subject to some limited Ofcom oversight.
If you are affected by this, either as an ISP or ITSP (and indeed, the scope does appear to extend the provisions to resellers), then we are, as ever, available for an initial call to see if we can assist.
With the old adage of “safety in numbers” affected providers may also wish to consider joining ISPA and/or ITSPA depending on their core business, who are following the matter closely and are engaged with various stakeholders as the Bill proceeds through Parliament.