Following our article on the new UK telecoms security regime, which has undergone the first reading in the House of Lords, we have seen the detail of key secondary legislation (i.e., the draft Electronic Communications (Security Measures). The draft secondary legislation continues in the same vein. Its scope is exceptionally far-reaching and has considerable requirements on operators of networks as well as service providers in the UK and those with any operations in the country.

The proposed rules will significantly impact any international operations for the likes of BT and international operators with a presence in the UK. It contains highly restrictive (if somewhat unclear and inconsistent) provisions about the need for a UK locus for compliance and avoiding dependency on overseas parties or services. This is not how most networks operate and will prove highly challenging for cross border network operators and those with service elements overseas.

There are also extensive audit obligations, duties to ensure no undue dependence on a single provider, and obligations to flow down certain obligations to key suppliers.

Finally, there are governance obligations with certain security functions now being mandated to be allocated at board level.

The Internet Services Providers’ Association (ISPA) highlighted their concern that the new framework ‘is moving towards a highly prescriptive, burdensome and inflexible regime which may introduce localised measures for multinational companies’ and ‘such localised measures increase cost and burden, and raise the risk of duplication.’[1]

The new rules are some of the most far reaching globally, and there needs to be much greater engagement with industry on their practical application. The moves to recognise some tiering of the application of the rules depending on the scale of operator is helpful but this does not detract from the fundamental misunderstanding of modern communications operations that operate across borders and the costs of the proposed rules. Also, the attractiveness of the UK as a hub for communications providers must be better considered by the authorities before these are implemented in the present form.

These new obligations apply to both network and service providers, with slightly broader ranging obligations on network providers.

The definitions follow the Communications Act 2003 whereby a ‘network provider’ means a person who provides a public electronic communications network while a ‘service provider’ means a person who provides a public electronic communications service.

There are also cooperation mechanisms built in where a network and service provider are working in parallel and need to coordinate in order to deal with issues under the new rules which makes sense in the increasingly interconnected communications eco-system.

If passed, some of the core provisions include:

1. Far-reaching duties on network architecture (i.e. security by design), including designing, constructing and maintaining any networks or network elements with utmost account to security;
2. Obligations to retain, for at least 13 months, all data relating to:
   • any access to the network or service; and
   • network monitoring of all signals entering, transiting or leaving the network for the purpose of identifying and investigating anomalous activity by the operator;
3. Monitoring and Auditing duties;
4. Duties to review all aspects of the supply chain, analyse and minimise any dependencies on third parties;
5. Prevention of security compromise and management of security permissions; and
6. Governance and Accountability.

While some of the above provisions are restricted to new build infrastructure, the same is not the case for the vast majority of the other obligations which we discuss below.

It has just been announced that there will be some categorisation by the scale of the operator via a proposed Code of Practice (see below) but the proposed rules still rank as some of the most extensive globally. All operators will be required to take steps to comply and be able to demonstrate compliance.

Network operators will have to:

• Design, construct and maintain any new network in a manner that reduces the risk of security compromises. In relation to any existing part of the network (i.e. before the entry into force of the new legislation), the operators must redesign and reconstruct that part to reduce the risk of security compromises subject to appropriateness and proportionality;
• The core network security obligations require the operators to conduct a detailed analysis of risks to the entire network and its functions focusing on whether such function may contain personal data, is a security critical function, the location of the function or data related to the function, or exposure of the function to external signals;
• Take appropriate measures in the procurement, configuration, management and testing of equipment to ensure the security of the equipment and functions carried out on the equipment; and
• Finally, ensure that the network provider can assess risks to, and where necessary maintain the operation of, a network located in the UK.

The duty to retain data on access to the network (or service) for 13 months is getting the most attention. Whilst such data does not mean the content of such access activity but the information on the access itself, this is still a huge potential burden, particularly for ISPs and multi-national network operators. These rules also apply across all infrastructure and services – and not just for new build infrastructure.

Throughout the bill, there are very extensive, UK only, reliance provisions. But even these, while exceptionally hard to see how they would work in practice and are internally inconsistent in the terms and obligations applied.

On protection of data and network functions (clause 4 (3)), an operator must ensure that tools that enable monitoring or audit CANNOT be accessed from outside the UK if they enable monitoring or audit in real-time or of the content of communication / transmission of signals. Given this is what most aggregators or network operators do to ensure effective service to their clients, this seems an overly onerous provision.

And another piece of inconsistency – the obligations on network architecture require an operator to assess the risk to and, where necessary, maintain its network “without reliance on persons, equipment, or stored data located outside of the UK” (Article 3(3)(f) – Network architecture). This is an exceptionally high threshold for the international network operator to meet and needs to be clarified.

The obligations enshrined in Article 5 (2) – Monitoring and Audit are exceptionally far-ranging and merit quoting in full:

“The duty [to monitor, analyse and audit] includes, in particular, a duty — (a) to maintain a record of all access to the network or service (but not of the content of signals), (b) to have in place means and procedures for producing immediate alerts of all manual amendments to security critical functions, (c) to analyse promptly all activity relating to security critical functions of the network for anomalous activity, (d) to ensure that all data required for the purposes of a duty under paragraph (1) or subparagraphs (a) to (c) is held securely for at least 13 months.”

And again, this is backed up by an anti-overseas provision, mysteriously defined in a different way from the other provisions – saying the duty extends to an obligation on the network operator to avoid dependence on persons, equipment or stored data located outside the United Kingdom to monitor and audit the use of networks located in the United Kingdom (Article 5(3)(h)).

There are obviously rules on supply chain elements that materially impact Huawei. The other piece on supply chain has been lost in the debate and puts far reaching obligations on network operators to identify and reduce the risks of security compromises (Article 6 – Supply chain). The obligations include extensive duties to review all aspects of the supply chain to ensure there are no exposures as well as (most likely) re-negotiate relevant existing contracts to include the mandatory obligations.

The obligations of the operators include:

1. to identify and reduce the risks of depending on third party suppliers in relation to any (i) goods, (ii) services or (iii) facilities for use in connection with the networks or services. Such assessment must cover all risks of the relevant supply chain, including risks arising during the entire lifetime of any contractual arrangement with third party suppliers, and the underlying supply chains of such suppliers.
2. to ensure, through contracts or otherwise, that their suppliers:
   • take appropriate measures to identify, disclose and reduce the risks of security compromises to the operators’ networks or services arising from the use of suppliers’ products and services;
   • where the supplier is itself a network provider and is given access to the operators’ network or to sensitive data, take measures equivalent to those that the operator is required to take in relation to its own network;
   • take appropriate measures to enable the operator to monitor all activity undertaken by the supplier on the operator’s network;
   • take appropriate measures to co-operate with the operator in the resolution of security incidents; and
   • take appropriate measures vis-a-vis their own suppliers or sub-contractors.
3. to ensure that all network connections and data sharing with third party suppliers are managed securely; and
4. to have in place written contingency plans (i.e. plans for migrating/transitioning from contracts with third party suppliers whilst maintaining the security of the networks or services).

In addition, network providers must have, at all times, a written plan to maintain the normal operation of the network in the event that supply or support from a third party supplier is interrupted and review that plan on a regular basis.

In relation to SIM cards, service (and not just network) providers must monitor and reduce the security risks related to the subscribers’ SIM cards and are under an obligation to replace them if it is appropriate to do so in order to reduce such risks.

And then the final sting in the tail which again is going to prove challenging – the party must “reduce dependence on a single third party supplier in the procurement of any equipment in any part of the network that connects directly to customers or performs the associated transmission functions” (Article 6(2) (e)). Even if all the reviews set out in the preceding sections have been undertaken! And with no proportionality or cost caveats to this obligation.

The obligations on prevention of security compromise start off promisingly with a proportional and appropriate caveat but then dive into very wide-ranging details which will require parties to:

• Take specific steps including requiring two or more independent credentials to be present in order to access security critical functions, changes are overseen, default criteria are avoided, regular reviews of the compromise protections.
• As well as a mysterious final obligation where they must consider the user’s location when determining their security permission. This is entirely unclear as to what is an appropriate location. And is a home working environment caught, or does it aim to target overseas access?

Finally, the legislation makes clear that network and service providers must treat security as an essential business function and put in place robust governance processes. These obligations include the need to have a person/committee at board level with responsibility for security management and policies and resourcing of same. There must be a review of risks every 12 months recorded in a written assessment.

The bill puts great emphasis on real competences of human resources and sufficient budgets to source and train them. The credentials of key individuals must be set against the requirements in the bill, albeit these don’t have any nationality requirements – e.g. in India.

The government has proposed categorising operators into three tiers depending on their size (national, medium, and small operators). These tiers will determine the extent to which they will have to follow the Code of Practice and the level of Ofcom oversight they will be subject to.

The Code of Practice will set out detailed security measures for operators, which they can take to demonstrate compliance with their duties under the Bill and secondary legislation. The Code will provide guidance on how, and to what timescale, certain providers should comply with their legal obligations. For example, it will set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers’ data. Operators would be expected to demonstrate compliance with the security duties by complying with this Code.

The Code of Practice will apply to both large national scale telecoms providers whose availability and security is critical to people and businesses across the UK and medium-sized telecoms providers. The difference will be the level of Ofcom oversight, with the larger providers being subject to intensive Ofcom monitoring and medium-sized operators being subject to only some oversight and monitoring.

The smallest telecoms providers, which includes small business and micro enterprises, will need to comply with the law. However, it is not anticipated that the Code of Practice will apply to them, but they may still be subject to monitoring and oversight from Ofcom.

This draft secondary legislation may be subject to further changes. According to the government, this draft has been made available to illustrate how the government may use its new powers under the UK Telecoms Security Regime and ‘to enable early engagement with providers during the passage of the Bill’ (see, link). The Bill has undergone the first reading in the House of Lords and, if it is adopted as expected, then this secondary legislation will come into force later this year.

That said, there is a concern that there is not enough planned consultation prior to the secondary legislation being introduced. Due to the extent of the obligations imposed on network and service providers, and the scope of those whom it will effect, it is essential that it is right.

[1] https://www.ispa.org.uk/wp-content/uploads/2101_ISPA_TS_Bill_Committee_ISPA_response.pdf