UK: Telecommunications (Security) Act 2021 heralds a step change in cyber laws
The Telecommunications (Security) Act 2021 has now received royal assent. It creates a tough new regulatory framework imposing a wide range of cyber security obligations on the telecoms industry. However, this regime may present a compliance challenge, particularly as the government publishes secondary legislation and notices in respect of designated high-risk vendors (“HRVs”).
General security and notification duties
The Act creates general duties for providers of telecoms services, including an obligation to take security measures to reduce the risk of “security compromises”. These are defined in the Act as anything that compromises the availability, performance, functionality or confidentiality of the network, allows unauthorised access or interference, or causes signals or data to be lost or altered without the provider’s permission.
Service providers must take measures that are appropriate and proportionate to:
- identify the risks of security compromises;
- reduce these risks; and
- prepare for the occurrence of security compromises.
There is also a general duty under the Act to take appropriate and proportionate measures to respond to security compromises when they occur. In addition, if there is a significant risk of a security compromise, the provider must take reasonable and proportionate steps to bring this to the attention of users, along with details of measures they may take to mitigate or remedy adverse effects; and if a security compromise occurs and has a significant effect on the operations of the network, the provider must notify Ofcom.
The devil is in the details of the SI
While these general duties are strong but relatively unexceptional, the Act also provides for additional security measures to be included in secondary legislation, and for related guidance to be issued in Codes of Practice.
It is in this secondary legislation that the real scope and ambition of this new law becomes clear. The draft Electronic Communications (Security Measures) Regulations suggest a range of very onerous measures (set out below). There has been extensive consultation on these measures, and it seems likely that some will be softened in the final regulations, but they are still likely to mark a step change in expectation, and to raise serious compliance headaches for telecoms providers.
- UK-centric approach – providers must ensure they can operate a network within the UK, and perform monitoring and audit of that network, in each case without relying on anyone or any equipment or data outside the UK. Additionally, providers must ensure that any tools monitoring the content of signals, or monitoring in real time, cannot be accessed from outside the UK.
- Safety by design – providers must not only construct any network in such a way as to reduce the risk of security compromises, but must redesign existing parts of the network to the same end.
- Mitigating supply chain risk – providers must reduce supply chain risk, by vetting not only their own third-party suppliers, but those supplier’s supply chains as well. They also have an obligation to reduce dependency on any single third party and are required to maintain a written plan to maintain service in the event of interruption of supply from a third party.
- 14-day patching – providers will have 14 days to deploy a patch or mitigation (including software updates and equipment replacement) relating to a risk of security compromise from the date when it becomes available, or a longer period if this is reasonably determined to be appropriate.
- Penetration testing – the network must be regularly tested to assess its resilience to security compromises, with the tests simulating techniques that might be used in an attack on the network.
- Co-operation with other providers – if a security compromise is a risk to connected networks, the relevant provider must inform the connected network providers.
- Retention of access records – all access to the network (save for the content of signals) must be recorded, and the records held securely for at least 13 months.
- Re-engineer for hostile signals – providers must take measures to reduce security risks arising from external signals.
- Board-level security officer – a person or committee at board level or equivalent must be responsible for managing security compliance.
Added to this are further obligations expected in the Codes of Practice, although these have not been made public.
High-risk vendors
In addition to secondary legislation, the Act also provides for the Government to issue Designated Vendor Directions in respect of HRVs where these HRVs are deemed to be a threat to national security.
The Government has already produced a Designated Vendor Direction in relation to Huawei, which prevented providers purchasing new Huawei equipment from January 2021, and requires them to remove all existing Huawei 5G equipment by 2027. This is partly based on concerns over the reliability of Huawei’s products as a result of difficulties accessing technology due to US sanctions.
Enforcement
Ofcom is responsible for enforcing the Act, and will also publish procedural guidance to set out its approach to monitoring to the industry. In the case of non-compliance, sanctions of up to 10% of global turnover can be issued.
In addition, Ofcom can impose interim measures to address adverse impacts on a network, and the Act provides the right for a person who suffers loss due to a provider’s non-compliance to seek restitution in civil proceedings, with Ofcom’s consent.
Conclusion
Matt Warman, Minister for Digital Infrastructure, described these proposals as bringing in “one of the strongest telecoms security regimes in the world, a rise in standards across the board, set by the government rather than the industry”.
If the obligations in the final secondary legislation are anything like those in the draft Electronic Communications (Security Measures) Regulation, the Government will have achieved its objective. It is interesting to consider the reason for this step change – the breadth and scope of these obligations suggest the intention is not just to protect against opportunist cyber-attacks but rather to harden these critical telecoms networks against national state actors and other cyber warfare threats. It remains to be seen whether other critical sectors will be subject to similar regulation in due course.