Telecommunications (Security) Bill

WRITTEN EVIDENCE SUBMITTED BY THE BT GROUP (TSB02)

TELECOMMUNICATIONS (SECURITY) BILL

1. OVERVIEW

1.1 We are fully supportive of the principal objective of this Bill, to further improve the security of the UK’s telecommunications networks.

1.2 The availability and integrity of our networks and the confidentiality of the data we process is at the heart of our ability to serve our customers and the UK – cyber security is a top priority for BT. We have robust and long-standing infrastructure security policies based on best practice, working closely with the security services. We have:

· Invested significantly in developing world-leading capabilities to combat cyber threats.

· Developed a long-standing partnership with the National Cyber Security Centre (NCSC), focused on improving the resilience of the UK’s telecommunications infrastructure.

· Established clear and consistent network architecture policies to minimise vendor risk, not permitting high risk vendors in the sensitive core network.

· Established strong governance arrangements, with BT’s Security Council providing Executive-level oversight of all cyber security issues, including the use of all external suppliers in the network.

1.3 We own and operate critical national infrastructure and so we see it as vital to work in lockstep with NCSC on our vendor deployment, sharing full visibility of major procurement decisions. We have established a comprehensive risk mitigation programme, in-line with its guidance and strategy.

1.4 The Bill introduces two new and important elements to the UK’s telecoms security framework – first, restrictions of the use of high risk, or ‘designated’, vendors and, second, new telecoms security duties on operators with associated OFCOM powers to monitor, assess and enforce compliance.

1.5 On the first, given the Government’s concerns about national security, we accept the decision to remove Huawei from 5G by 2027 (with milestones also set for no new purchasing or installation of new Huawei equipment), which will be brought into law via Directions from the Secretary of State after the Bill’s Royal Assent. This will cost BT £500 million, but we are confident it will be manageable. It will not be possible to move any faster without creating significant risk of network blackouts, as well as a loss of the economic benefits that 5G will deliver for the UK.

1.6 On the second, to further enhance our existing security approach, we support the introduction of new Telecoms Security Requirements (TSRs), set by the NCSC, to be established through a Code of Practice and underpinned by OFCOM powers. We believe that this will provide for a world-leading cyber security baseline for the UK, setting a higher bar for the whole sector to clear.

1.7 We broadly support the new duties imposed on operators and new powers given to OFCOM to support this new approach. However, it will be important that OFCOM, in this new role, creates a workable regime for operators. Whilst we understand that there will formal consultations on the Code of Practice and on OFCOM guidance for operators after the Bill’s Royal Assent (which will establish the detail of the new regime), we believe greater clarity is needed on OFCOM’s planned approach, with safeguards introduced in the Bill to ensure operator burdens are proportionate.

1.8 Furthermore, the Government proposes to place operators into one of three tiers (national, medium and small operators), with small operators not expected to follow the Code of Practice and only subject to limited OFCOM oversight. Whilst ensuring burdens are proportionate, we believe that common and sufficiently rigorous requirements should be made of all industry operators to support the long-term resilience of the UK’s infrastructure and avoid vulnerabilities being created.

1.9 We have also welcomed the publication of the Government’s 5G Supply Chain Diversification strategy alongside the Bill. Reducing reliance on a small number of global vendors will be important to increase competition, drive innovation and improve resilience. It will take time to move at scale towards new approaches, such as Open RAN – to be successful, network operators need to be confident in the maturity, performance, integration and security credentials of new vendors and technologies before they are deployed in their main networks. But Government can help accelerate this progress – and create real opportunities for UK leadership and job creation – with an ambitious programme to fund R&D and trials. The £250 million funding for this activity announced in the Spending Review and the Government’s National Infrastructure Strategy is a welcome step in supporting this.

2. HIGH RISK, OR ‘DESIGNATED’, VENDORS

2.1 The Secretary of State will have powers to restrict the use of ‘designated’ vendors in the telecoms supply chain. This will bring into force the decisions made in July 2020 and announced at Second Reading regarding the use of Huawei in 5G networks. These include:

· A ‘no new buy’ rule to apply from the end of 2020, prohibiting operators purchasing new Huawei 5G equipment.

· A ‘no new installation’ rule to apply from September 2021, prohibiting operators introducing new Huawei 5G equipment to their networks.

· A requirement that Huawei equipment should only account for maximum of 35% of the less sensitive radio access network (the RAN – the masts and antennas we use) by 2023, and that it should be completely removed from the sensitive core network.

· A requirement for Huawei equipment to be removed from the UK’s 5G networks by 2027.

2.2 We understand the Government’s decision not to include specific restrictions on the face of the Bill so as to maintain flexibility in the future. However, it will important that these Huawei deadlines are not further amended. The Government’s decisions have provided some clarity and certainty for the industry and have enabled us to plan our network investment more confidently.

2.3 The removal of Huawei equipment over this time period will be challenging, given the pace of delivery required and the ability of the wider supply chain to support this work, with an expected cost to BT of £500 million. It represents a major undertaking, requiring an unprecedented scale of site visits and engineering work. We have already begun commencing this work in order to meet these timelines. Over the past year, we have re-planned our network twice in response to new Government policy announcements and it would be hugely damaging to be required to do this again.

2.4 In coming to its decision, we believe the Government has sought to appropriately consider the wider economic consequences of removing Huawei, whilst effectively addressing security and resilience challenges:

· A 2027 deadline allows us to make the necessary and significant changes to our network while continuing to provide the resilient and secure connectivity our customers and the UK needs – and avoids signal blackouts. Removing Huawei from our 5G network also requires the underlying 4G equipment to be removed (as UK 5G is currently being deployed on a ‘non-standalone’ basis given the current stage of technology evolution). A seven-year timeframe broadly aligns with 4G equipment life cycles. It will therefore mean minimising the number of sites we need to visit multiple times, enabling us to stagger the necessary work in local areas and reduce the likelihood of service disruption.

· If we were required to go faster, these risks would grow and our confidence that the Government’s objectives could be achieved would diminish. Removing Huawei equipment would be near impossible without severely impacting service and creating significant network blackouts, as we need to turn off multiple sites to remove kit. It would also put other network upgrade programmes at risk, such as our full fibre roll-out.

· Our 5G roll-out plans will not be significantly disrupted in having to meet a 2027 deadline, meaning that the economic benefits of 5G – now more acutely needed to support a post-Covid recovery – can be brought forward as quickly as possible. 5G will have a more profound impact on business, productivity and society even than full fibre. Government analysis says leadership in 5G is worth £170 billion to UK GDP in the next decade and its value chain is expected to support 600,000 jobs by 2035. 5G will be a determining factor in where global industries are based.

2.5 So, given the wider issues the Government was considering, we believe this was a balanced and evidence-based decision. It will be important that, as Parliament considers this Bill, the industry is not faced with ongoing uncertainty and we can plan and invest in our networks with confidence that the goal posts will not be changing again. BT is investing billions in building the next generations networks that are essential to UK prosperity – and we now need to forge ahead.

3. NEW TELECOMS SECURITY REQUIREMENTS

3.1 We welcome the intention to create a new telecoms security framework. However, further consideration must be given to ensuring how a workable and proportionate regime will be put in place. We believe that greater clarity and amendments to the Bill are required in the following areas:

· "Security compromise" and "connected security compromise" must be more appropriately defined in the Bill.

· It will be critical to the success of the new framework that all operators are required to meet a common baseline – but the proposed tiered approach may risk the introduction of vulnerabilities in the system through smaller providers.

· Duties to inform others of "significant risks" of security compromises must be proportionate and not in themselves increase security risks.

· The Bill confers wide-ranging powers on OFCOM – we would welcome more clarity on how the regime will work in practice to ensure burdens are proportionate.

"Security compromise" and "connected security compromise" must be more appropriately defined

3.2 As currently defined, a "security compromise" (Clause 1) would cover any planned network outage that may be required for maintenance or upgrading of the network, or any unplanned outages due to faults or wear and tear. These types of outages are relatively regular occurrences given the scale of our network and we always seek to minimise customer impact and restore service as quickly as possible. The duties on operators in the Bill that flow from this definition are significant – including network issues that cannot reasonably be considered as security compromises (rather resilience or availability issues) would create undue burdens on operators and potentially on OFCOM.

3.3 These outages are not the result of any unauthorised access or malicious intent, nor do they have consequences for the confidentiality of data or signals carried over the network. We do not believe it is the intention of the Bill to apply the same requirements (e.g. with respect to reporting or notification to stakeholders), or to make the same powers available to OFCOM, in relation to these types of incidents, as are intended to apply to "security compromises".

3.4 Indeed, we believe that Clause 1 would provide for a comprehensive definition of a "security compromise" without the reference to "the availability, performance or functionality of the network or service" and would ensure that operators are not required to report (beyond their wider obligations) these types of benign operational incidents to OFCOM, ensuring that the burden on operators is not disproportionate and in-line with the intentions of the Bill. These types of matters are different in nature and so should be handled differently in the legislative framework.

3.5 The definition also seeks, we understand, to capture any compromise to the integrity of signals conveyed over a network. However, the way that this is expressed – by reference solely to compromises of the "confidentiality of signals" – is unclear and confusing. It could be significantly improved by making a simple amendment to refer to "confidentiality and integrity".

3.6 The definition of "connected security compromise" (Clause 1, page 2, line 47) is a simple definition referring to something that "occurs in relation to another public electronic communications network or a public electronic communications service". Given the potential breadth of this definition, building some specifics on how the "connected" element will be assessed in the overall Government/OFCOM guidance on "security compromise" will be important. This would help operators understand the core principles behind this definition, to enable them to understand how it could impact their interconnection relationships with other networks and services, where developing an understanding of the occurrence (or causality) of any incident will be fact- and contract-based, particularly if the Government retains the tiering structure for different sizes of operator in the proposed Code of Practice.

3.7 We would therefore encourage the following amendments to be made to the Bill:

· Clause 1, page 1, line 15 – leave out subsection (a)

· Clause 1, page 1, line 20 – after "confidentiality" insert "and integrity"

· Clause 1, page 1, line 22 – leave out subsection (d)

3.8 If it is the intention to ensure that operators’ existing OFCOM reporting duties on network resilience issues under the Communications Act are not affected by this Bill, then we believe a better means of achieving this would be the creation of a separate clause in this Bill to this effect. This would ensure there is a clear distinction between operators’ duties concerning security compromises (about which this Bill is principally concerned) and their duties on resilience reporting, so that the significant new requirements expected for security compromises do not also inappropriately apply to this category.

3.9 The Bill (Clause 4, page 8, lines 5 to 19) also seeks to provide guidance to operators and to OFCOM as to whether or not a risk of a security compromise is "significant" (and thus requiring of notification to OFCOM and network users). It is, however, unclear whether it is the operator or OFCOM that should be making this judgement.

3.10 We would therefore welcome greater clarity from either OFCOM or the Government as to the thresholds that they would expect to be met for a risk of a compromise to be deemed significant.

It will be critical to the success of the new framework that all operators are required to meet a common baseline

3.11 We anticipate that much of the TSRs will reflect ongoing security measures that BT already has in place, but their full implementation is expected to require significant changes to processes, training, equipment and operations. Operators must be given sufficient time to implement the new standards and future iterations as they adapt to technological evolution and potential new threats.

3.12 Whilst we agree that burdens on operators must be proportionate and that all operators will be subject to the legal duties in the Bill, we are concerned that the Government’s planned approach for three ‘tiers’ of provider will mean small operators (tier 3) will not be required to follow the Code of Practice and may only be subject to limited OFCOM oversight (as set out in the Government’s factsheet [1] ).

3.13 It is currently unclear how these operator tiers will be defined more precisely. During the passage of the Bill, we would therefore encourage the Government and/or OFCOM to publish more detailed proposals on this.

3.14 It will be critical for the effectiveness of the new security framework this Bill puts in place that all operators and organisations in the telecoms supply chain are subject to higher standards and appropriate OFCOM scrutiny. Given the interconnected nature of the industry and our networks, the integrity and success of the new standards will require common and industry-wide requirements. Indeed, the interconnectedness of networks is explicitly recognised in the Bill when it identifies "connected security compromises" (see Clause 1, page 2, line 47).

3.15 We would therefore encourage the following amendment to be made to the Bill:

· Clause 3, page 5, line 12 – after subsection (c) insert:

"(d) must apply a code of practice to all providers of a public communications network or a public communications service."

Duties to inform others of "significant risks" of security compromises must be proportionate and not in themselves increase security risks

3.16 We agree with the requirements on operators to support the users of their networks in preventing or mitigating the impact of a potential security compromise. We already provide significant guidance to our customers as to how they can reduce the risk e.g. from phishing attacks, ensuring passwords are sufficiently strong etc, as well as filtering malicious domain names on our DNS servers, offering services customers can use to protect themselves from known sites (BT Web Protect) and protect children from inappropriate sites (BT Parental Controls).

3.17 However, the definition in the Bill of "users" is very broad i.e. "persons who use the network or service and may be adversely affected by the security compromise" (Clause 4, page 7, line 25). This potentially extends significantly beyond the provider’s customers (at a retail or wholesale level) to potentially any party who may interact with the provider, but with whom the provider has no direct relationship.

3.18 We would therefore encourage the following amendment to be made to the Bill:

· Clause 4, page 7, line 25 – leave out "persons" and replace with "customers"

3.19 In certain cases, the security of the network may be put at greater risk if potential risks are communicated to stakeholders, providing malicious actors with additional information on potential vulnerabilities in the network that they may seek to exploit. We therefore believe that the Bill should explicitly consider such scenarios and not place obligations on communications providers to inform users of risks whereby doing so it will increase the likelihood of that risk crystallising.

3.20 We would therefore encourage the following amendment to be made to the Bill:

· Clause 4, page 7, line 38 – after paragraph (3) insert:

"(4) The provider of the network or service is not required to inform users of a significant risk of a security compromise should it be reasonably considered by the operator that such steps would increase the likelihood of that or another security compromise occurring or if the provider of the network or service has taken reasonable and proportionate steps to mitigate the significant risk of a security compromise."

3.21 Additionally, the Bill also confers powers on OFCOM to inform others of a security compromise or risk of a compromise, such as the Secretary of State or network users. We understand the intention of the Bill in this regard and support the principle. We believe that this would be most effective when done in conjunction with operator in question to ensure there is clarity and agreement, where possible, on the timing, audience and messaging of such information provision. This would also ensure that this does not cut across any other obligations that an operator may have, such as market disclosures. The Bill currently does not require OFCOM to consult with the operator prior to informing third parties of a security compromise (or risk of one).

3.22 We would therefore encourage the following amendment to be made to the Bill:

· Clause 4, page 9, line 31 – after subsection (9) insert:

"(10) Prior to informing others of a security compromise or risk of a security compromise, OFCOM must consult, where reasonably practicable to do so, with the provider in question on the timing and content of the information to be provided to others."

The Bill confers wide-ranging powers on OFCOM – we would welcome more clarity on how the regime will work in practice to ensure burdens are proportionate

3.23 For the success of the new regime, we understand and support the need for significant new duties to be placed on operators to, for example: take steps to mitigate the risks of potential security compromises; take appropriate action if and when they occur; inform OFCOM and users; follow new designated vendor directions; and to cooperate with OFCOM in monitoring, assessing and ensuring compliance. We also accept the need for and support a new general duty (proposed as Section 105M under Clause 5 of the Bill, page 9, lines 37-41) and significant new powers for OFCOM to carry out its new role.

3.24 It will be vital that the Government and OFCOM create a workable regime for operators. We are not yet clear, however, on OFCOM’s approach to or plans for carrying out its new general duty or the relationship that this has with OFCOM’s general duties under sections 3 and 6 of the Communications Act 2003. The new general duty – and resultant powers – being afforded to OFCOM under this Bill should still be subject to the protections that already apply where OFCOM performs its regulatory duties i.e. that OFCOM must have regard to the principles under which regulatory activities should be transparent, accountable, proportionate, consistent and targeted only at cases in which action is needed; and for OFCOM to keep regulatory burdens under review. The potentially sensitive nature of security compromises should not mean that OFCOM need not be subject to good regulatory practice (as embodied by these existing sections of the Communications Act 2003) when it exercises its general duty and new powers.

3.25 We understand that there will be a formal consultation on the Code of Practice after the Bill’s Royal Assent and that OFCOM will be obliged to publish a statement of their general policy with respect to the exercise of their functions (see Clause 10, page 17, line 33). It will be important that, given the broad nature of OFCOM’s powers in certain aspects, it is careful to ensure that proportionate and reasonable burdens are placed on operators when seeking to comply with their duties.

3.26 Prior to the Bill’s Royal Assent in order to provide for proper scrutiny, we believe that it is necessary for OFCOM to set out its intended approach to carrying out its duties and how it will ensure this will be reasonable and proportionate for operators.

3.27 For example, the Bill (Clause 6, page 9) confers broad powers on OFCOM to assess compliance with an operator’s security duties, including but not limited to accessing premises, performing penetration tests and interviewing personnel. We understand and support these powers in principle.

3.28 However, these assessments are likely to create significant burdens on the operator and disruption to their business and network. The Bill currently places no specific limits on OFCOM’s powers to issue assessment notices (beyond those outlined in subsections (5) and (6) of Clause 6, page 11). Similarly, the Bill does not require OFCOM to ensure that the assessment and impositions it may place on a provider to co-operate are proportionate to the concerns it may have with respect to the provider’s compliance with its security duties under the Bill. Nor does the Bill require OFCOM to consult the operator prior to appointing a third party to undertake an assessment, with no requirement to ensure that that party is suitably qualified or security-cleared to undertake that assessment.

3.29 Similar to Clause 6, Clause 19 (page 31) provides OFCOM with broad powers to issue inspection notices to providers for the purpose of assessing compliance with a designated vendor direction. Again, we understand and support the principle of these powers – but as in Clause 6, there are no specific limitations on OFCOM in the Bill in the use of these powers, nor any requirements to ensure they are used reasonably and proportionately. This reinforces the point we make above in paragraph 3.24 of the role that sections 3 and 6 of the Communications Act 2003 will play in providing appropriate protections.

3.30 New section 105N (Clause 6, page 10, lines 2-12) sets out powers for OFCOM to undertake a security assessment – either itself or by another person. The need for such a third party to be appropriate and competent may be self-evident, given the level of access to a network that such an assessment would entail. It should not therefore be controversial to include in the power that such third party must have proven competency and be authorised (by OFCOM and/or the NCSC) to undertake that role – competency needing to cover not just their technical expertise but also being appropriate from a security perspective.

3.31 We would therefore encourage the following amendments to be made to the Bill:

· Clause 6, page 10, line 3 – remove "person" and replace with:

"competent and authorised person with the permission of the provider"

· Clause 6, page 10, line 7 – after subsection (1) insert new subsections:

"(2) OFCOM may only carry out, or arrange for another person to carry out, an assessment as in subsection (1), if it reasonably considers that there is a risk of a significant security compromise or if an assessment as in subsection (1) has not been undertaken in the prior 36 months."; and

"(3) OFCOM must ensure that the nature of the assessment carried out under this section must be reasonable and proportionate to the concerns OFCOM has with the provider’s compliance with the duties imposed by or under any of the sections 105A to 105D, 105J and 105K."

· Clause 6, page 10, line 12 – after subsection (b) insert new subsection:

"(c) not unreasonably withhold agreement for another competent and authorised persons to carry out the assessment."

· Clause 19, page 32, line 10 – after subsection (3)(b) insert new subsection:

"(4) OFCOM must exercise the power in subsection (2) in a reasonable and proportionate manner in determining whether the provider has complied or is complying with the designated vendor direction or a specified requirement imposed by the designated vendor direction."

BT Group

December 2020

 

Prepared 13th January 2021