Telecommunications (Security) Bill

Written evidence submitted by Junade Ali CEng (TSB03)

Evidence - Telecommunications (Security) Bill

Introduction

1. I give this evidence in a personal capacity as an expert in cybersecurity having worked in large-scale internet infrastructure for the past few years and multiple projects to drive cybersecurity standards. Secure communication protocols I’ve developed have been adopted in popular services like Have I Been Pwned?, Google Chrome, Apple iOS and Mozilla Firefox. I have authored over a dozen scholarly computer science papers on the security of communication networks, anonymous communication protocols and vehicle sensor networks. I am a Chartered Engineer via the IET.

The duty to take security measures is ambiguous and overly narrow

2. Whilst the Bill attempts to address security risks with both Internet Service Providers and their supply chain vendors, it neglects the complexity of how the internet functions with security responsibilities being held by third parties such as Internet Exchanges (IXs), internet backbone providers and cloud computing providers.

3. In particular; internet backbone, Content Delivery Networks (CDNs) and recursive DNS providers may not necessarily even have any contractual or financial "vendor" relationship with an ISP even though they are a critical internet infrastructure.

4. Such networks are largely minimally regulated but subject to greater consolidation and therefore pose a high security risk to critical telecommunications infrastructure.

5. At the very least, these third-party networks should have a legal obligation placed upon them to ensure the security of their networks.

6. This can be achieved by inserting this new clause after subsection (1) of the amendment to Section 105A of the Communications Act 2003 (in Section 1(2) of this Bill):

The duty in subsection (1) shall also apply to any electronic communications network or electronic communications service which is used to interconnect a public electronic communications network or a public electronic communications service with another electronic communications network or electronic communications service.

7. This is an incremental amendment and would not cover the creation of mandatory security disclosure or codes of practices for such networks. I would therefore suggest that the Government also bring forward wholesale reforms as part of Online Harms legislation and their review of The Network and Information Systems Regulations 2018 to establish regulatory grounding for all critical internet infrastructure in primary statute.

Conclusion

8. This legislation is founded on strong information security principles; that it is important to manage security risk, report security breaches & threats as transparently as possible and to ensure the fundamental technical best practice is respected. However, this legislation does not go far enough to cover the multiple types of communication networks required for the internet to operate.

9. Legal duties to uphold infrastructure security should be constructed broadly and legislation should empower the Government to make comprehensive regulations related to telecommunications infrastructure.

Junade Ali CEng

26th December 2020

 

Prepared 13th January 2021