Memorandum submitted by the Information
Assurance Advisory Council
The Information Assurance Advisory Council (IAAC)
is a private sector led, cross-industry forum dedicated to promoting
a safe and secure Information Society. IAAC brings together corporate
leaders, public policy makers, law enforcement and the research
community to address the security challenges of the Information
IAAC is engaged with Government and corporate
leaders at the highest levels; it produces innovative policy advice
based on professional analysis and global best practice.
The observations expressed here do not necessarily
represent those of all the sponsors and members of IAAC. They
draw upon research conducted under contract for IAAC by RAND Europe.
European and UK legislation give network owners
and operators responsibility for network security as well as for
data protection. Oftel has recently completed a consultation process
to make more explicit the network security standards that it will
expect of operators of fixed telephone networks. However, neither
Oftel nor the OFCOM Bill have seriously begun to address the issue
of information security, especially in relation to the Internet.
It is a good time to initiate this debate since
information security and consumer protection are rising up the
European political agenda. Certain European telecoms regulators
are taking a much more proactive role in promoting information
security in relation to IP and mobile networks; a case can be
made for OFCOM to play a much more interventionist role to ensure
high standards of security and assurance.
In the UK and Europe, Governments, businesses
and citizens have become increasingly aware of their critical
dependencies on the information infrastructures that underpin
modern society. At the same time, it has become evident that consumer
trust and confidence are vital to the success of e-business and
In December 2001, European Governments affirmed
that: "the security of transactions and data has become essential
for the supply of electronic services, including e-commerce and
on-line public services, and low confidence in security could
slow the widespread introduction of these services". European
Governments agreed a number of actions but noted that:
"there are legal requirements imposed on
providers of telecommunication services to take appropriate technical
and organisational measures to safeguard the security of their
services; these measures shall ensure a level of security appropriate
to those requirements;
there is a need for individuals, businesses,
administrations and other organisations to protect their own information,
data and communications systems by deploying effective security
The legal requirements that exist on UK communications
providers stem from the 1998 Revised Voice Telephony Directive
(RVTD), which was transposed into UK law, and from legislation
on data protection and privacy. Under the RVTD, the licences issued
to Public Telecommunications Operators (PTO) include a number
of Essential Requirements. These are "non-market requirements
that must be delivered in recognition of the important role that
telecommunications plays in the wider economic and social well-being
of the country".
Condition 20 of the Essential Requirements requests
the Licensee to take "all reasonably practicable steps to
maintain to the greatest extent possible network security and
network integrity". Network security refers to the availability
of network services in the face of natural or malicious acts.
The terms "reasonably practicable" are not defined in
Since 2000, the regulator and the industry have
been discussing a set of guidelines that were published for open
consultation in December 2001. Oftel made clear that it did not
currently see major faults in network security but that it wished
to develop commonly understood guidelines for network security
and integrity to assist operators and, possibly, against which
it could monitor compliance.
5. THE CONSULTATIONS
Consultations on the guidelines closed at the
end of March 2002. Most of the respondents from the telecommunications
industry supported the principles of the guidelines, though some
were concerned that, if they were to become criteria against which
Oftel would assess compliance, then the guidelines were too prescriptive.
The Guidelines stipulate that network operators
should take a risk management approach, should seek to prevent
problems but should put in place resilience, redundancy, restoration
and repair capabilities. Rather than mandating either network
security processes, such as risk management standards, or explicit
targets, such as Mean Time Between Failures or percentage availability,
the Guidelines "indicate examples of areas that should be
given attention". The areas identified include physical security
of essential systems, access control to network management systems
and collection of network data to identify faults.
The Guidelines and the consultation process
paid only tangential attention to information security, although
interconnection between the telephone network and the Internet
was mentioned. Only one respondent raised concerns about information
security: This was a consumer body, the English Advisory Committee
on Communications, the body established to advise Oftel taking
into account user perspectives. CCE noted that its members had
"become increasingly concerned at the problems caused to
consumers in the area of internet access when there are network
problems caused by for example "denial of service" attacks.
We query where the line is drawn between "telecoms"
and "internet" in respect of such problems".
6. NISCC'S ROLE
Oftel makes clear that Condition 20 is quite
separate from any requirements that the Cabinet Office may impose
on telecoms providers in the name of national security. This is
clear from the assurance programme undertaken over the past two
years by the National Infrastructure Security Co-ordination Centre
(NISCC), which has a mandate to assure the Government that the
nation's critical information networks, including telecoms, are
robust enough to withstand attack.
NISCC carries no regulatory stick, nor is it
concerned with consumer protection. NISCC has engaged with communications
service providers, not just fixed telephony providers, by assessing
their levels of Information Assurance and providing advice and
support where necessary.
Oftel's useful guidance to network operators
and NISCC's behind the scenes programme of bilateral relationships
have gone some way towards addressing the risk to the UK's information
infrastructures. However, it is useful to take a step back and
to think more imaginatively about how government can use the regulator
to promote social goalsin this case information security
on behalf of users.
The possible roles that a telecoms regulator
could play in promoting information and network security were
succinctly outlined by a former senior official of the US FCC
in recent discussions on the topic. The spectrum ranges from:
no role in information security;
providing public with information
and raising consumer awareness;
gathering information and statistics
to assist with consumer complaints/naming and shaming operators;
developing/disseminating best practices
and encouraging (via co-regulation) compliance;
investigating violations and enforcing
full enforcement of standards and
penalties for non-compliance/violations.
That different countries have taken different
approaches is evident from a quick glance at our European neighbours.
At one extreme are telecoms regulators in Finland and Switzerland
who have taken it upon themselves to ensure that their nation's
information infrastructures are well protected against attack.
FICORA, the Finnish National Regulatory Authority (NRA), for instance
runs a Computer Emergency Response Team (CERT) for the sector
and employs a full time staff of 10 to ensure the security of
the information networks. The Swiss regulator sees itself pretty
much as part of the country's national security community, protecting
networks as well as ensuring competition. Belgium does not go
so far but it has made consumer and citizen protection and awareness
a priority. The regulator and the Ministry of Communications have
established a virus alerting system that provides warning and
advice to all of the country's internet users in real-time.
The opposite pole is represented by regulators
from countries such as Austria and the Netherlands who argue for
maintaining a focus on the NRA's core business which is, after
all, economic and market regulation. It is interesting to note
that, in both countries, other public authorities have instead
taken a dynamic role in sponsoring initiatives to promote internet
security. In Austria, for instance, the Federal Chancellery is
working with ISPs to establish a national CERT. In the Netherlands,
the Ministry of Public Works is leading a public strategy to promote
security awareness and best practice.
9. WHAT ROLE
There are two issues with the current UK approach.
First, within its core area of business, fixed voice telephony,
Oftel has been reluctant to mandate or legislate security standards.
This "light touch" regulatory approach may be appropriate
but there is little concomitant drive to provide systematic information
and advice to consumers on security issues. Second, Oftel's narrow
focus means that the mobile and Internet networks upon which society
is increasingly reliant continue to depend upon self-regulation
and voluntary co-operation to, for instance, educate users and
share data on information security incidents.
Should the current approach change under OFCOM?
There is a strong argument that OFCOM should not be burdened with
extra duties such as promoting information security. The new regulator
will be heavily burdened to start with and would be loath to enter
an area fraught with difficulties that, for now, the Government
has decided to treat in a non-regulatory manner.
Nonetheless, as information and network security
rise up the political and public agenda in a world that is increasingly
dependent upon telecommunications for vital services and e-business,
there are three measures that OFCOM should seriously consider.
First, OFCOM will be committed to a co-regulatory
approach, with an intention to move towards self-regulation. Users,
both corporate and home, will be represented in this co-regulatory
regime but it should be OFCOM's role to provide them with the
information they need to act. This information needs to extend
to Quality of Service indicators, including network and information
security. This will have two purposes: (i) stimulate consumer
awareness and hence the market in an area in which there is an
acknowledged market failure and (ii) encourage service providers
to adopt best practices against clear benchmarks.
Second, as the DTI's Information Security
Breaches Survey 2002 points out, one reason why UK firms do
not have adequate information security measures in place is the
lack of industry benchmarks and of measures at broad level to
understand return on investment. Although such standards are gradually
placed to facilitate the emergence of common standards, benchmarks
Third, OFCOM itself or in collaboration with
other government departments such as the DTI and Home Office would
provide an education, advisory, alert and warning service to UK
internet users. Currently, this information is provided on a best
practice basis by the DTI to SMEs and by NISCC to selected critical
industries. The telcos and ISPs are important partners in the
provision of such information to consumers but the provision of
this information cannot be left to market forces alone. The Finnish,
Belgian and Swiss models provide useful examples that can be rapidly
adapted for the UK market.
By empowering consumers with real information
and advice and providing service providers with international
benchmarks and standards, OFCOM can contribute significantly to
the Government's objective of making the UK a world leader in
e-business and e-government.
113 Oftel, Consultation on guidelines on the essential
requirements for network security and integrity, and on criteria
for restriction of access to the network, 10 December 2001. Back
Letter from CCE Chair Moria Black to David Edmonds, 11 March 2002. Back