Ruling the networks: the UK's telecoms security bill
Gordon Moir, Partner at Wiggin LLP, explains the vulnerable and challenging situation the UK telecoms industry will find itself in as a result of the new telecommunications (security) bill
Introduced late last year, the UK’s Telecoms (Security) Bill aims to change how communications networks are built and operated and to protect the UK from hostile cyber activity. In January, a draft statutory instrument was published which gave more detail on the new security regime but the creases still need to be ironed out in order to make these propositions truly viable in the UK’s current telecoms climate.
Are the new requirements cause for alarm?
The proposed rules contain highly restrictive (if somewhat unclear and inconsistent) provisions about the need for a UK locus for compliance and avoiding dependency on overseas parties or services. This is simply not how most networks operate. Even if you overlook the obvious challenges for cross-border operators, you’ll find that most operators have at least some service elements overseas.
This legislation is likely to be incredibly far-reaching. It will look to impose considerable requirements on network operators, as well as on global communication service providers who have operations in the UK. Though these rules are, at present, still working through the legislative process, some things are still not clear, including a proposed tiering of the application of the rules to different categories of providers.
These moves to recognise some tiering in how the rules are to be applied, depending on the scale of the operator, are helpful but do not detract from what currently displays a misunderstanding of both modern communications operations that operate across borders as well as the likely very large costs of compliance with these new rules.
The proposed rules also set out extensive audit obligations; duties to ensure no undue dependence on a single provider; obligations to flow down certain obligations to key suppliers; and governance obligations, with certain security functions now having to be allocated at board level.
Since the new rules are some of the most comprehensive rules globally, there must be much greater engagement and consultation with the industry on their practical application. Given the wide-ranging impact of the rules, the measures must be proportionate and workable.
What do these provisions mean for the telecommunications industry?
Understandably, the industry is concerned by both the new measures, and the lack of detailed consultation that was undertaken prior to publication.
The new requirements come with substantial costs and time implications, certainly for larger operators. There is a raft of increased duties that are not sufficiently defined or clarified within the text so as not to limit their potential implications in application. The underdeveloped requirement to retain all data relating to any access to the network or service for at least 13 months is one example, meaning it could be applied to lots of areas and services. Without some limitation in the legislation, the extra costs could be hugely significant.
The legislation requires network providers "to avoid dependence on persons, equipment or stored data located outside the United Kingdom to monitor and audit the use of networks located in the United Kingdom", which could be difficult to implement given that modern software and hardware tends to be produced with international inputs. Telecommunications is a global, interconnected industry. Many operators have global operations and almost all are linked to global supply chains. This measure has the potential to change and disrupt how providers operate their networks and it can even undermine their viability.
Although the intricacies of the proposed code of conduct are still unknown, there will be additional requirements for compliance and intensive monitoring by Ofcom. The code is to provide guidance on how and to what timescale certain providers should comply with their legal obligations. For example, it will set out the detailed technical measures that should be taken to segregate and control access to the areas of networks that process and manage customers' data. Operators would be expected to demonstrate compliance with the security duties by complying with this code. Failure to comply with the Bill can result in Ofcom issuing financial penalties for non-compliance.
These penalties include up to £100,000 a day for failing to comply with a security duty and a maximum penalty of £10 million for not complying with a code of practice.
It is important to remember that the legislation is not yet final and there are a number of stages to be finalised. It’s understandable that the government is seeking to implement greater security, however, the costs and penalties are of real concern to the industry.
The bottom line is that before the rules are implemented in their present form, the authorities must consider the attractiveness of the United Kingdom as a hub for communications providers. Passing the onus and costs for reinforcing the UK’s telecoms infrastructure onto network service providers does not seem the most sensible way of supporting a sector that is crucial to our recovery from the pandemic and which is dealing with a range of other issues, such as new telecoms rules, fibre deployment and materially changing service offerings and network architectures.