Telecommunications (Security) Bill

Written evidence submitted by Dr Louise Bennett, Director, Digital Policy Alliance (DPA) (TSB08)

1. I am broadly supportive of the intentions of the Telecommunications Security Bill. It baselines the legal requirements about the security measures that are required in the UK Telecoms networks. Anything that encourages security to be top of mind for all the vendors in the multiple supply chains involved is a good idea.

2. However, adopting best practice cannot guarantee network security. The current UK communications network has grown like Topsy. It consists of multiple digital infrastructures sitting on a lot of legacy (including some analogue systems). It is a very complex system of systems with thousands of ill-defined interfaces and billions of end points, many of which have no security at all. It is a question of when and how badly the security is breached and not "if".

3. I also welcome, in principle, the Telecoms Diversification Task Force and the 5G Diversification Strategy to address the paucity of vendors (particularly UK based) in the telecoms supply chain. However, incorporating early product offerings, particularly from new entrant Tier 3 suppliers, could risk not providing sufficiently mature security. R1 A government run sandpit might be helpful here to test new UK designed products out in a realistic environment (as for Fintechs in the City of London).

4. There are four key areas that a Framework Bill seeking to ensure telecoms networks are secure needs to address. There are:

a. The network architecture, which is what this Bill focusses on (para 5)

b. The security of data both about the network (para 6) and of data going across the network – the latter is covered, but the former, which I would characterise as the Network Asset Database is not adequately covered

c. The processes for maintaining the level of security needed over time (paras 7 & 8)

d. The operational costs and other impacts of compliance, which are not fully considered (para 9).

5. The security of the network architecture is the main focus of the Bill. As a system of systems it is interconnected in a very complex fashion. This means for the security of the whole you need to understand all the interfaces and their specifications and standards and also the ownership of each part, so that contracts can define where the liability of one party starts and that of another ends (this will be reflected in the penalties OFCOM might apply for security breaches). In many cases, companies are operating applications that rely on the characteristics of the underlying networks and will be impacted by the removal of legacy parts of the infrastructure, such as copper cables, or even the replacement of particular supplier’s components. An example of an area that could be impacted is alarm systems running over the network.

6. In relation to the security of the data about the network, I was surprised that the Bill did not make more mention of telecoms asset databases. Maintaining accurate and secure databases, down to the component and even batch level of the assets that make up the network, is essential for ongoing security. You only have to look at the costs, time and difficulty of dealing with the Millennium bug to realise this. Probably, all the companies involved in providing and maintaining the Core National Infrastructure are addressing this. The point is intimately bound up with the cost and impacts of security and with the processes for maintaining security which must include details of the replacement of components both during maintenance and in order to comply with such things as the removal of all of a named supplier’s kit, or with tracing particular components or batches of components that might be compromised.

7. The processes for maintaining security over time need to be rigorous and require open dialogue between many suppliers, including maintenance sub-contractors. This is especially true to stop unintended consequences of upgrades on applications and other network operators and in maintaining the integrity of the network asset databases. R2 A Technical Advisory Board (focussed on the provisions of the Bill) would be a helpful addition here.

8. There is also the question of the process of transparent accountability to Parliament over time. This is very difficult because of the balance between the need to move fast in a rapidly evolving technical market under constant security threats, and the need to discuss the viability and costs of specified measures with the telecoms industry and its suppliers. R3 A Commissioner (like the Office of the Information Commissioner or the Investigatory Powers Commissioner) would be helpful

9. The operational costs and impacts of the Bill have not been fully investigated in the documents I have seen. They may have been fully explored in discussions with suppliers. The costs will be large and agreement will be needed on where those costs fall and the extent to which it is reasonable for the Government to underwrite any costs to meet the intended end goal. There is also the question of OFCOM insisting on Audits. Responding to these can be very costly and time consuming. OFCOM, the Telcos and their suppliers will need to speak openly, listen and provide responsible justifications (both ways) and be judged fairly if this Bill is to work as intended. The balance of the desirability of resilience through a diverse infrastructure and agility for the SoS to alter the infrastructure as new security threats emerge will be a complex judgement call. R4 The assistance of an independent Commissioner and Technical Panel, overseen by Parliament and the Judiciary is needed here.

10. The example of the recent SolarWinds Orion networking monitor hack should be used as a test case to determine how this Bill would have helped to mitigate the effects of this attack. Any areas where it is unclear if the Bill would have led to the best response should be reviewed and amended. R5 It would be sensible for the UK Government to set up a Rapid Response Co-ordinated Unit to deal with any similar incident in the future

11. The manner that OFCOM choses to develop its role as regulator will be important for ongoing success. Such un-defined points as how OFCOM will determine "significant" risks will be important. Different telcos may see the risks in different lights and impacted users may have different views again.  An industry recognised Risk Based score (such as CVE-2020-3436 (nist.gov)) may not actually be appropriate in all scenarios. A balance will be needed between a broadcast announcement of a security risk by OFCOM, so that all users could take action (which might cause speculation, panic and fake news) and quietly mitigating the security incident over an agreed timeframe. R6 There needs to be full and clear definitions of all terms related to OFCOM enforcement.

Dr Louise Bennett
Director
Digital Policy Alliance (DPA)

17 January 2021

The DPA is an independent, not for profit, membership organisation which alerts Parliamentarians and policy makers to the potential impacts, implications and unintended consequences of policies associated with online and digital technologies.

 

Prepared 19th January 2021