On 17 November 2021, the Telecommunications (Security) Act 2021 (the “Security Act”) was passed into law.
The Security Act will amend the existing security duties under the Communications Act 2003 (the “Communications Act”) which are applicable to providers of Public Electronic Communications Networks (“PECNs”) and Public Electronic Communications Services (“PECSs”).
As part of the amendments to the Communications Act, the Security Act:
- replaces the existing security obligations and duties in the Communications Act with a more fulsome set of obligations;
- imposes a new duty on Ofcom to ensure providers of PECNs and PECSs comply with their obligations;
- introduces new powers for the UK Government to specify how such obligations should be complied with;
- gives Ofcom powers to monitor and enforce compliance with these new obligations; and
- introduces penalties for non-compliance with these new obligations.
In this article, we summarise the main matters being introduced by the Security Act and provide an overview of what this means for the security of PECNs and PECSs in the UK.
A. New obligations on providers of PECNs and PECSs
Prior to the Security Act’s introduction, the Communications Act already included obligations relating to security.
The pre-existing obligations were very generic, relating to an obligation on providers of PECNs and PECSs to take “technical and organisational measures” to “manage risks” to the security of PECNs and PECSs. Such obligations in the Communications Act were drafted on an open ended basis, leaving it up to providers of PECNs and PECS to determine what measures to take to “manage risks”. In particular, there was no definition of what a risk to security was.
The Security Act introduces provisions to replace the pre-existing provisions. The provisions set out obligations which are much more fulsome. In particular:
- The Security Act now introduces a detailed definition of a “security compromise” which extends to matters including, but not limited to:
- anything that compromises the availability, performance or functionality of the network or service;
- unauthorised access;
- anything compromising confidentiality of signals; and
- anything that causes signals to be lost, unintentionally altered or altered otherwise than by or with the permission of the provider of the network or service.
The Security Act recognises the interconnectivity between networks and that security compromises can extend beyond single networks. A security compromise under the Security Act includes anything that occurs in connection with a network or service which causes a connected security compromise to another network or service. This places an obligation on telecoms operators to now consider how compromises to their own services/networks will impact another network or service.
- Providers of PECNs and PECSs are now obliged to take appropriate and proportionate measures to:
- identify the risks of security compromises occurring;
- reduce the risks of security compromises occurring; and
- prepare for the occurrence of security compromises.
- On the occurrence of a security compromise, providers of PECNs and PECSs are now obliged to take measures to prevent the adverse effects arising from the security compromise. This is a new obligation which was not previously included in the Communications Act.
B. Powers for the Secretary of State
The Security Act provides the Secretary of State with several new powers, including:
- The power to make regulations stating specific measures which the provider of a PECN or PECS must take in relation to security compromises. This includes:
- measures to identify risks, reduce risks and prepare for the occurrence of security compromises; and
- measures to be taken on the occurrence of a security compromise.
Such regulations have the potential to be made to only apply to a single provider of PECNs or PECSs;
- The power to issue codes of practice, with guidance as to measures for providers of PECNs and PECSs to take to comply with their new obligations under the Communications Act; and
- The power to make “designated vendor directions”. In making such a direction, the Secretary of State can control how goods, services or facilities from a designated vendor are used, or restricted from use in telecommunications networks and services in the UK. These powers are related to initiatives the UK Government introduced in 2020 relating to high risk vendors, starting with Huawei (see our blog post in relation to Huawei and high risk vendors here).
C. New obligations to inform users and Ofcom of risks of security compromises
The Security Act introduces new duties on providers of PECNs and PECSs to inform users of significant risks of security compromises, and to inform Ofcom of the occurrence of security compromises in certain circumstances.
D. New powers for Ofcom
The Security Act introduces several new powers for Ofcom. This includes, but is not limited to, the following powers:
- Powers for Ofcom to inform the following persons of the risk or occurrence of a security compromise: users of a network or service, communications providers, persons who make associated facilities available, overseas regulators, and the European Union Agency for Cybersecurity.
Ofcom may go to the extent of telling users of the network or service of measures to take to prevent the security compromise, or remedy or mitigate the adverse effect the security compromise has on them;
- Powers for Ofcom to direct the provider of PECNs and PECSs to inform users of the matters noted above;
- Powers for Ofcom to assess providers of PECNs and PECSs’ compliance with the new obligations introduced into the Communications Act; and
- Powers for Ofcom to enforce compliance by providers of PECNs and PECSs with the new obligations introduced into the Communications Act.
The Security Act introduces several penalties for non-compliance with the new obligations, including:
- Civil liability for breach of any duties introduced under the Security Act;
- For non-compliance with the new security obligations, a fine of up to a maximum of ten (10) percent of their relevant turnover, or £100,000 per day for continuing failures; and
- For the failure to provide information, or any refusal to explain a failure to follow a code of practice, a fine of up to a maximum of £10 million, £50,000 per day for continuing failures.
F. What do these changes mean for the security of telecoms networks and services?
The introduction of the Security Act follows an overall trend of increased government intervention in security matters relating to telecommunications networks. This includes a number of other initiatives focused on national security introduced by the UK Government, including the National Cyber Security Centre’s Telecommunications Security Requirements and the National Security Council’s various bans in 2020 on the procurement and use of Huawei 5G equipment in national telecommunications networks (which we blogged about here) and the National Security and Investment Act 2021 (which applies to communications networks).
It is clear that the Security Act takes the discretion to decide what security measures to take, and the action to be taken, on a security breach out of the hands of telecoms operators and into the hands of the Government.