The UK Government’s (UKG) proposals for new, sector-specific cybersecurity rules continue to take shape. Following the announcement of a Product Security and Telecommunications Infrastructure Bill and a consultation on the security of apps and app stores in the Queen’s Speech (which we briefly discuss here), the UKG issued a call for views on whether action is needed to ensure cyber security in data centres and cloud services (described here).
In recent weeks, the UKG has made two further announcements:
- On 30 August 2022, it issued a response to its public consultation on the draft Electronic Communications (Security measures) Regulations 2022 (Draft Regulations) and a draft Telecommunications Security code of practice (COP), before laying a revised version of the Draft Regulations before Parliament on 5 September.
- On 1 September 2022, it issued a call for information on the risks associated with unauthorized access to individuals’ online accounts and personal data, and measures that could be taken to limit that risk.
We set out below further detail on these latest developments.
*****
UKG response to public consultation on telecoms security regulations and a code of practice
Last year, the Telecommunications (Security) Act 2021 passed, creating a new security framework for public communications network and service providers. Section 1 of that Act (amending the Communications Act 2003) granted the UKG the power to pass regulations specifying the precise security measures that providers of public electronic communications networks (ECN) and public electronic communications services (ECS)) must implement. Section 3 also granted the Secretary of State for the Department of Digital, Culture, Media and Sport to issue codes of practice setting out how ECN and ECS should comply with these specific measures.
The Draft Regulations and COP therefore aim to set out the precise security measures that ECN and ECS providers must take to comply with the Act. The UKG’s consultation response follows submissions from 38 stakeholders, and addresses a number of specific, technical concerns about the requirements of the Draft Regulations and COP (e.g., precisely when encryption must be applied to signals, and the need to retain data about logging and monitoring for 13 months).
Most prominently, the revised version of the Draft Regulation includes obligations on ECN and ECS providers to:
- reduce the risk of unauthorized access to their networks and services (including specific obligations to ensure workstations that can make changes to security-critical functions are not exposed to external traffic, and to monitor ongoing risks proactively). It also obliges ECN only providers to protect data transmitted across those networks (including specific obligations to ensure their networks are secure by design);
- ensure they can identify security risks without the use of staff or equipment outside the UK, and operate their services without the use of such staff or equipment, on the basis that this limits the risk that foreign actors (including governments) could undermine the integrity of UK communications networks;
- Minimize, for similar reasons, misuse of tools that allow monitoring of data on ECN or ECS located outside the UK. (The Draft Regulations prohibit the use of tools on servers located in certain countries, including—for now at least—China, Russia, and Iran);
- monitor and analyze access to “security critical functions” (i.e., functions that are likely to have a material impact on the whole of or part of a service) to identify any compromise;
- minimize the risk of security compromises arising from suppliers;
- put in place appropriate governance frameworks, including obligations to have standardised processes for categorizing security incidents, to mandate post-incident reviews, and, like the EU’s NIS2 Directive, to require a person or committee at board level to have responsibility for the security policy required by the Telecommunications (Security) Act, and to prepare for incidents to minimize the impact of those incidents; and
- conduct regular reviews and ensure software and hardware are up to date.
The COP provides additional detail on these requirements, and establishes three “tiers” of ECN and ECS provider (based on their turnover—there is no provision in the COP for Ofcom to expressly designate ECN and ECS providers as being in particular tiers). Smaller providers with turnover of under GBP 50m (i.e., those in Tier 3) are not expected to comply with the COP, but may do so voluntarily. Other providers (i.e., those in Tier 1 and Tier 2) are required to comply, but those in Tier 2 (with turnover of GBP 50m-1bn) will have additional time to do so. It explains that Ofcom will be responsible for taking enforcement action in the event of non-compliance, and that Ofcom will consult on an update to its existing guidance on enforcement to take account of these new rules.
The consultation response confirmed that the tiering system for providers in the COP would remain in place, but extended the timelines for compliance. Tier 1 providers will be required to implement the COP in four stages: certain provisions must be complied with by 31 March 2024, with additional milestones through to 31 March 2028. Tier 2 providers will not have to meet the 31 March 2024 milestone, but will otherwise be expected to meet the same milestones as Tier 1 providers.
On 5 September, the UKG laid the amended Draft Regulations before Parliament, and aims for them to come into force on 1 October 2022. The COP will be laid before Parliament on or after the day the Regulations come into force, and absent any objections, will be issued in final form 40 days later.
Call for information on unauthorized access to online accounts and personal data
Among other things, the UK Computer Misuse Act 1990 makes unauthorized access to online accounts and computer systems a criminal offence. Although providers offering online accounts (e.g., providers of financial services, e-commerce, and communications services) are subject to existing obligations to keep accounts and associated data secure, the UKG’s call for information states that the UKG still has concerns about the vulnerability of these online accounts.
The call for information states that the Home Office is considering new measures to reduce the burden of keeping accounts secure on individuals, and placing greater responsibility on providers to make their offerings secure by default by imposing a “Cyber Duty to Protect”.
To that end, the call for information requests stakeholders’ views on matters including:
- the types of harms that can arise from this sort of unauthorized access in different circumstances;
- who should have responsibility for ensuring protection against these sorts of harms;
- what actions companies currently take to prevent them; and
- their experience of enhanced authentication solutions, such as two-factor authentication.
The call for information is open under 27 October 2022, after which the UKG may propose new legislation or other instruments.