Updated network security guidance
Impact on smaller communications companies
Outsourcing of network security requirements
Equipment providers and supply chain risks
Consumers are increasingly using communications-based technologies in their day-to-day lives, growing more reliant on the underlying communications networks and services, and expecting more from their network and service providers. The importance of certain communications services is also changing, with demand for online shopping and banking services (among others) continuing to grow. Combine these developments with the fast pace of operational and technological change within the communications industry and it can be difficult for regulation to keep pace, especially in the areas of security and network reliability.
However, as the use and importance of communications networks and services continue to grow, so too do the concerns around security and reliability. Recognising these trends, and following its experiences with network security and reliability over the past two years, Ofcom released a call for input on December 13 2014 to help it understand the industry's views on how network security and reliability can be better achieved. The call for input reviews Ofcom's current guidance on network security and reliability and identifies specific issues on which Ofcom would like industry feedback.
Traditionally, telecommunications regulation has sought to protect consumers by ensuring availability of supply through universal service conditions and the promotion of competition within the communications industry. At the outset, little formal regulatory attention was paid to the security and reliability of the networks and services themselves. However, this position changed with the introduction of new Articles 13(a) and 13(b) to the European Framework Directive,(1) pursuant to the adoption of the Better Regulation Directive.(2) The incorporation of these articles into the framework directive created, for the first time, formal regulatory requirements concerning the security and integrity of networks and services.
The requirements set out in Articles 13(a) and 13(b) were transposed into English law on May 25 2011 when Sections 105 (A to D) were incorporated into the Communications Act 2003. To assist communications providers in complying with these new requirements, Ofcom also issued (and subsequently updated) guidance on the application of the network security requirements. It is this guidance that Ofcom is considering updating.
Ofcom has always envisaged that it would be necessary to update its network security guidance. However, the implications of Ofcom's approach to updating its guidance could have serious ramifications for a number of organisations operating in the telecommunications industry, as well as companies that manufacture and sell goods and services to communications providers. Some of issues that will need to be considered when the network security guidance is updated are discussed below.
Ofcom acknowledged when it first issued its network security guidance that larger public communications providers were managing security and reliability concerns from a commercial perspective long before the network security requirements were imposed. In contrast, smaller public communications providers are unlikely to have the experience or resources to implement the processes needed to comply with the current network security guidance.
The manner in which communications services are provided makes it very difficult to apply differing standards of security to different communications providers, as any weaknesses in the chain could jeopardise the larger network ecosystem. The approach of leveraging existing infrastructure to help keep costs down has led to network infrastructures being consolidated. While there are many benefits to such an approach, it creates the problem of who is ultimately responsible for ensuring that the network is secure. The approach proposed by Ofcom is to make all public network and service providers bear responsibility for their networks and services, irrespective of whether this overlaps with other providers. While this should ensure that network security is maintained at a certain level, it could result in wasted cost and expenditure for all network providers.
Depending on the approach taken by Ofcom, compliance with the network security guidance could impose a disproportionate burden on smaller public communications providers and harm their ability to compete with the large public communications providers going forward. Ofcom will therefore need to balance these factors when proposing updates to the network security guidance and their application to smaller public communications providers.
Any changes in the network security guidance may also need to be passed on to security providers by public communications providers where the provision and management of network security and reliability are outsourced. This could raise a number of issues. The first is whether any outsourcing provider will be willing to provide sufficiently strong assurances that the public communications provider's network security and reliability will comply with the updated network security guidance. This is likely to depend on Ofcom's approach to the update and whether specific security and reliability standards for communications providers will be introduced. Second, where assurances can be obtained from the outsourcing provider, there is the question of the cost of providing such additional protections. The extent of the changes proposed by Ofcom could have a significant impact on the cost of providing security and reliability services to a communications provider and whether it will be more cost effective for the communications provider to implement the necessary changes itself. The last issue is whether it will be possible to implement the required changes if the security and resiliency requirements have been offshored by the outsourcing provider. If specific physical changes are imposed in relation to the network infrastructure, these elements will need to be addressed, at a minimum, within the United Kingdom. Ultimately, any costs associated with changes in the network security guidance where the services are outsourced are likely to fall on the communications provider, as even with aggressive outsourcing contracts, technological changes that are required as result of general changes in law are unlikely to be provided by the outsourcing provider without cost implications.
One specific area of outsourced service provision that Ofcom is reviewing relates to the provision of data centre services, particularly the physical risks associated with shared usage. Ofcom is considering updating the network security guidance to require specific measures to be put in place to ensure that data centre providers maintain appropriate physical levels of security. However, this raises the question as to how much leverage communications providers have over the data centre providers, and whether Ofcom or the UK government should impose these obligations directly on the data centre providers. Ofcom has sought specific feedback on this area as part of its call for input.
The network security guidelines require providers to ensure that they appropriately manage security risks associated with their supply chains and provide a set of principles with which providers must comply. Ofcom considers that, beyond these principles, it is hard to provide specific guidance as to the measures that providers should put in place to mitigate against equipment and supply chain risks.
However, there could also be implications for equipment manufacturers, providers and supply chains arising from other updates to the network security guidance. For instance, depending upon the approach taken by Ofcom, the introduction of specific communications network security and reliability standards could require changes or upgrades to the equipment being provided to the industry. Again, the costs of such changes or upgrades are likely to be borne by the public communications providers.
It appears that Ofcom would like to align its guidance with a security standard governing the security and reliability of communications networks and services. However, at present, no such standard maps directly to the network security requirements. While the International Organisation for Standardisation 27002 and 27011 are referenced within the network security guidance, not even these standards map exactly to communications networks and services. The Department for Business, Innovation and Skill has also announced an intention to work with the industry to develop and implement a new standard. However, this standard is intended only to address basic cyber risk at low threat levels.
Compliance with the Network Interoperability Consultative Committee's ND1643 standard is also a requirement under the network security guidance. Compliance with this standard by communications providers has increased considerably in the last 12 months and is intended to apply equally to small and large communications providers. However, Ofcom is not aware of any smaller providers having been certified. While Ofcom intends to support a number of the smaller providers through this process, the lack of take-up by smaller providers is concerning, especially as Ofcom increasingly enforces compliance with the network security guidelines across all public communications providers. The issues that small providers have with this approach are likely to be compounded when the requirements are extended beyond internet protocol interconnections to other areas of the network (eg, the public switched telephone network).
At an EU level, the European Network and Information Security Agency (ENISA) is working with national regulatory authorities to produce a further version of its Technical Guidelines on Security Measures. While not a standard in their own right, these guidelines seek to ensure that the European Union complies with network security requirements. While there are benefits to introducing a harmonised approach to network security and resiliency, Ofcom is aware that material differences across the EU communications markets make this difficult in practice.
Ofcom will therefore need to consider carefully what standards must be adhered to and whether these standards will need to be supplemented with principles taken from other standards/guidance. One approach it may consider is to reference any additional standards/guidelines (including the ENISA Technical Guidelines) within the updated network security guidance as recommended good practice. While this has the benefit of providing additional measureable requirements, it does not implement a specific standard that public communications providers could be audited against – something which still appears to be a long way off.
Ofcom will need to take into consideration a number of different network security and reliability provisions that also apply to public communications providers. These include:
- General Condition 3 in relation to ensuring the proper functioning of networks;
- the requirement to take appropriate technical and organisational measures to safeguard the services under the Privacy and Electronic Communications Regulations 2003;
- the requirement to put in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and accidental loss or destruction of, or damage to, personal data under the Data Protection Act 1998; and
- the requirement to ensure compliance with the Regulation of Investigatory Powers Act 2000.
These laws and conditions already feature significantly in public communications providers' compliance programmes and any update to the network security guidance will no doubt build on them.
The deadline for responses to Ofcom's call for input on updates to its guidance on network security is February 21 2014. Industry stakeholders are encouraged to provide their feedback generally on this area, as well as on the specific questions raised by Ofcom. It is not clear how far Ofcom is willing to go to protect consumers and to ensure the security/reliability of public communications providers when it updates the network security guidance. However, it is clear that a delicate balance will need to be achieved to ensure that Ofcom does not impose additional costs on communications providers that could distort the competitive dynamics of the market place. Public communications providers, data centre operators and equipment vendors should consider responding to Ofcom's call for input.
For further information on this topic please contact Simon Cloke at Eversheds by telephone (+44 20 7919 4500), fax (+44 20 7919 4919) or email (firstname.lastname@example.org). The Eversheds website can be accessed at www.eversheds.com.