In November 2021, the Telecoms (Security) Bill completed its passage through the House of Lords and the House of Commons. Having received Royal Asset, it is now an Act of Parliament; the Telecoms (Security) Act 2021.
The Bill itself has been on the horizon for quite a while, particularly due to the sharp rise in cyber-crimes, the perceived risk of certain vendors (Huawei will be the one that immediately springs to mind but is not the only one) and the general speed of development of various technologies over the past few decades.
The new Act will provide both Ofcom and the Government additional mandates to direct the operations of telcos in the UK. This will include the running of supply chains, as well as the design and operation of networks. If organisations fail to meet these new standards, they risk being subjected to fines of up to either £10 million or £100,000 for every day of breach. When I say ‘telco’, the language in the Act refers to Electronic Communications Networks and Services, which brings into scope everyone from the largest multi-national companies through to one-man-band resellers.
At the time of writing, the full breadth of the required new standards is not known. The Act itself brings forward a duty for all telcos ‘to take such measures as are appropriate and proportionate for the purposes of identifying and reducing the risks of security compromises occurring and preparing for their occurrence’. It further empowers the Secretary of State for the Department for Digital, Culture, Media and Sport (DCMS) to require such telcos to take ‘specified measures’ in relation to the risks of security compromises.
It’s those ‘specified measures’ which are the ‘standards’ I mentioned earlier. These will come in two parts – a Code of Conduct, which will be consulted upon alongside input from Ofcom, and secondary legislation in the form of regulations. The latter will end up being the Telecommunications (Security) Regulations 2022, with such regulations being a form of legislation, as opposed to the Ofcom General Conditions we most commonly think of as regulations.
Ordinarily, secondary legislation is laid before Parliament and passed with a wink and a nod – I am told that given the scale of what lies ahead, that it will be consulted upon more than the usual statutory instrument, and that DCMS will have a positive engagement with stakeholders. While not unheard of, it is comparatively rare for the civil service to engage on secondary legislation with stakeholders at the level planned. This therefore marks a small victory for Comms Council UK members that have been lobbying hard on behalf of their peers.
However, if the Government continues with the thinking it showed in an early draft of the secondary legislation published a year ago, then we may see requirements such as mandatory annual penetration testing, restrictions on what systems and information can be accessed from abroad, security patches required to be performed within fourteen days, a requirement for a telco to audit its supply chains and more.
The Government has signalled that some of this may be softened by the Code of Conduct categorising telcos into tiers, with the most onerous requirements being reserved for just the largest. However, it is important to note that while the Act requires the Secretary of State to consult on a Code of Conduct, it does not require them to heed the responses.
Additionally, unless the tiers are themselves embedded in secondary legislation, we risk a perverse situation where a lower-tier telco could be found to have breached the law despite complying with the letter of the Code.
Overall, the Government wants to ensure that the UK’s telecoms infrastructure is secure and free from potential compromise by certain foreign interests. In my opinion, it is achieving this policy objective through one of the most invasive and wide-ranging pieces of legislation I have seen in this sector. I would encourage everyone to engage with the subject when it is consulted upon and ensure your voice is heard before it is too late.
from UC Today https://ift.tt/GjmcsD8ez
0 Comments