Joint Committee on The Draft Communications Bill Appendices to the Minutes of Evidence


Memorandum submitted by the Information Assurance Advisory Council


  The Information Assurance Advisory Council (IAAC) is a private sector led, cross-industry forum dedicated to promoting a safe and secure Information Society. IAAC brings together corporate leaders, public policy makers, law enforcement and the research community to address the security challenges of the Information Age.

  IAAC is engaged with Government and corporate leaders at the highest levels; it produces innovative policy advice based on professional analysis and global best practice.

  The observations expressed here do not necessarily represent those of all the sponsors and members of IAAC. They draw upon research conducted under contract for IAAC by RAND Europe.


  European and UK legislation give network owners and operators responsibility for network security as well as for data protection. Oftel has recently completed a consultation process to make more explicit the network security standards that it will expect of operators of fixed telephone networks. However, neither Oftel nor the OFCOM Bill have seriously begun to address the issue of information security, especially in relation to the Internet.

  It is a good time to initiate this debate since information security and consumer protection are rising up the European political agenda. Certain European telecoms regulators are taking a much more proactive role in promoting information security in relation to IP and mobile networks; a case can be made for OFCOM to play a much more interventionist role to ensure high standards of security and assurance.


  In the UK and Europe, Governments, businesses and citizens have become increasingly aware of their critical dependencies on the information infrastructures that underpin modern society. At the same time, it has become evident that consumer trust and confidence are vital to the success of e-business and e-government.

  In December 2001, European Governments affirmed that: "the security of transactions and data has become essential for the supply of electronic services, including e-commerce and on-line public services, and low confidence in security could slow the widespread introduction of these services". European Governments agreed a number of actions but noted that:

    "there are legal requirements imposed on providers of telecommunication services to take appropriate technical and organisational measures to safeguard the security of their services; these measures shall ensure a level of security appropriate to those requirements;

    there is a need for individuals, businesses, administrations and other organisations to protect their own information, data and communications systems by deploying effective security technologies".


  The legal requirements that exist on UK communications providers stem from the 1998 Revised Voice Telephony Directive (RVTD), which was transposed into UK law, and from legislation on data protection and privacy. Under the RVTD, the licences issued to Public Telecommunications Operators (PTO) include a number of Essential Requirements. These are "non-market requirements that must be delivered in recognition of the important role that telecommunications plays in the wider economic and social well-being of the country".[113]

  Condition 20 of the Essential Requirements requests the Licensee to take "all reasonably practicable steps to maintain to the greatest extent possible network security and network integrity". Network security refers to the availability of network services in the face of natural or malicious acts. The terms "reasonably practicable" are not defined in the regulations.

  Since 2000, the regulator and the industry have been discussing a set of guidelines that were published for open consultation in December 2001. Oftel made clear that it did not currently see major faults in network security but that it wished to develop commonly understood guidelines for network security and integrity to assist operators and, possibly, against which it could monitor compliance.


  Consultations on the guidelines closed at the end of March 2002. Most of the respondents from the telecommunications industry supported the principles of the guidelines, though some were concerned that, if they were to become criteria against which Oftel would assess compliance, then the guidelines were too prescriptive.

  The Guidelines stipulate that network operators should take a risk management approach, should seek to prevent problems but should put in place resilience, redundancy, restoration and repair capabilities. Rather than mandating either network security processes, such as risk management standards, or explicit targets, such as Mean Time Between Failures or percentage availability, the Guidelines "indicate examples of areas that should be given attention". The areas identified include physical security of essential systems, access control to network management systems and collection of network data to identify faults.

  The Guidelines and the consultation process paid only tangential attention to information security, although interconnection between the telephone network and the Internet was mentioned. Only one respondent raised concerns about information security: This was a consumer body, the English Advisory Committee on Communications, the body established to advise Oftel taking into account user perspectives. CCE noted that its members had "become increasingly concerned at the problems caused to consumers in the area of internet access when there are network problems caused by for example "denial of service" attacks. We query where the line is drawn between "telecoms" and "internet" in respect of such problems".[114]


  Oftel makes clear that Condition 20 is quite separate from any requirements that the Cabinet Office may impose on telecoms providers in the name of national security. This is clear from the assurance programme undertaken over the past two years by the National Infrastructure Security Co-ordination Centre (NISCC), which has a mandate to assure the Government that the nation's critical information networks, including telecoms, are robust enough to withstand attack.

  NISCC carries no regulatory stick, nor is it concerned with consumer protection. NISCC has engaged with communications service providers, not just fixed telephony providers, by assessing their levels of Information Assurance and providing advice and support where necessary.


  Oftel's useful guidance to network operators and NISCC's behind the scenes programme of bilateral relationships have gone some way towards addressing the risk to the UK's information infrastructures. However, it is useful to take a step back and to think more imaginatively about how government can use the regulator to promote social goals—in this case information security on behalf of users.

  The possible roles that a telecoms regulator could play in promoting information and network security were succinctly outlined by a former senior official of the US FCC in recent discussions on the topic. The spectrum ranges from:

    —  no role in information security;

    —  providing public with information and raising consumer awareness;

    —  gathering information and statistics to assist with consumer complaints/naming and shaming operators;

    —  developing/disseminating best practices and encouraging (via co-regulation) compliance;

    —  investigating violations and enforcing standards; and

    —  full enforcement of standards and penalties for non-compliance/violations.


  That different countries have taken different approaches is evident from a quick glance at our European neighbours. At one extreme are telecoms regulators in Finland and Switzerland who have taken it upon themselves to ensure that their nation's information infrastructures are well protected against attack. FICORA, the Finnish National Regulatory Authority (NRA), for instance runs a Computer Emergency Response Team (CERT) for the sector and employs a full time staff of 10 to ensure the security of the information networks. The Swiss regulator sees itself pretty much as part of the country's national security community, protecting networks as well as ensuring competition. Belgium does not go so far but it has made consumer and citizen protection and awareness a priority. The regulator and the Ministry of Communications have established a virus alerting system that provides warning and advice to all of the country's internet users in real-time.

  The opposite pole is represented by regulators from countries such as Austria and the Netherlands who argue for maintaining a focus on the NRA's core business which is, after all, economic and market regulation. It is interesting to note that, in both countries, other public authorities have instead taken a dynamic role in sponsoring initiatives to promote internet security. In Austria, for instance, the Federal Chancellery is working with ISPs to establish a national CERT. In the Netherlands, the Ministry of Public Works is leading a public strategy to promote security awareness and best practice.


  There are two issues with the current UK approach. First, within its core area of business, fixed voice telephony, Oftel has been reluctant to mandate or legislate security standards. This "light touch" regulatory approach may be appropriate but there is little concomitant drive to provide systematic information and advice to consumers on security issues. Second, Oftel's narrow focus means that the mobile and Internet networks upon which society is increasingly reliant continue to depend upon self-regulation and voluntary co-operation to, for instance, educate users and share data on information security incidents.

  Should the current approach change under OFCOM? There is a strong argument that OFCOM should not be burdened with extra duties such as promoting information security. The new regulator will be heavily burdened to start with and would be loath to enter an area fraught with difficulties that, for now, the Government has decided to treat in a non-regulatory manner.

  Nonetheless, as information and network security rise up the political and public agenda in a world that is increasingly dependent upon telecommunications for vital services and e-business, there are three measures that OFCOM should seriously consider.

  First, OFCOM will be committed to a co-regulatory approach, with an intention to move towards self-regulation. Users, both corporate and home, will be represented in this co-regulatory regime but it should be OFCOM's role to provide them with the information they need to act. This information needs to extend to Quality of Service indicators, including network and information security. This will have two purposes: (i) stimulate consumer awareness and hence the market in an area in which there is an acknowledged market failure and (ii) encourage service providers to adopt best practices against clear benchmarks.

  Second, as the DTI's Information Security Breaches Survey 2002 points out, one reason why UK firms do not have adequate information security measures in place is the lack of industry benchmarks and of measures at broad level to understand return on investment. Although such standards are gradually placed to facilitate the emergence of common standards, benchmarks and metrics.

  Third, OFCOM itself or in collaboration with other government departments such as the DTI and Home Office would provide an education, advisory, alert and warning service to UK internet users. Currently, this information is provided on a best practice basis by the DTI to SMEs and by NISCC to selected critical industries. The telcos and ISPs are important partners in the provision of such information to consumers but the provision of this information cannot be left to market forces alone. The Finnish, Belgian and Swiss models provide useful examples that can be rapidly adapted for the UK market.

  By empowering consumers with real information and advice and providing service providers with international benchmarks and standards, OFCOM can contribute significantly to the Government's objective of making the UK a world leader in e-business and e-government.

July 2002

113   Oftel, Consultation on guidelines on the essential requirements for network security and integrity, and on criteria for restriction of access to the network, 10 December 2001. Back

114   Letter from CCE Chair Moria Black to David Edmonds, 11 March 2002. Back

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2002
Prepared 5 August 2002