Global menu

Our global pages

Close

TMT legal update: Ofcom to reconsider network security guidance requirements

    • Telecoms - articles
    • Technology, Media and Telecoms - Telecoms

    21-01-2014

    Précis – In May 2011 Ofcom published guidance on how communications service and network providers should comply with the new security measures brought into force in the UK following changes to the European Communications Regulatory Framework.  Ofcom now intends to update this guidance to take into account the changes in the security landscape over the past few years and has issued a call for inputs on how such changes should be approached.

    What? Traditionally, telecommunications regulation has sought to protect consumers by ensuring availability of supply through universal service conditions and the promotion of competition within the communications industry.  At the outset very little formal regulatory attention was paid to the security and reliability of the networks and services themselves.  However, this position changed on 25 May 2011 when sections 105 (A)–(D) were incorporated into the Communications Act 2003 (the “Network Security Requirements”) to impose specific security and reliability requirements on providers of public communications networks and services, and Ofcom issued (and subsequently updated) guidance on the application of the Network Security Requirements (the “Network Security Guidance”). 

    So what? Ofcom has always envisaged that it would be necessary to update its Network Security Guidance and for a number of reasons considers that now would be an appropriate time to carry out such an update.  It cites a number of different factors for this, including:

    • the importance of communications networks and services and the expectations that are placed on them;
    • the changes in importance of certain services within the industry and the growth of online shopping and banking;
    • the changes that have occurred in the broader security environment and especially increasing concerns around cyber security;
    • the technological and operational changes that have occurred within the industry; and
    • the valuable experience and insight that Ofcom has gained in the past 2 years relating to the application of the Network Security Guidance (including the identification of certain gaps within that guidance).

    Ofcom has therefore issued a call for inputs to relevant Stakeholders setting out those changes to the Network Security Guidance that it is considering, as well as requesting feedback on those areas that could benefit from revision and comment more generally.  The areas of the Network Security Guidance on which Ofcom has specifically requested feedback, include:

    • the industry’s views on emerging and potential future security threats and availability risks, and whether these should be addressed in the revised guidance;
    • how the Network Security Guidance should be updated to reflect certain issues, including: (i) the ENISA guidelines on security controls; (ii) supply chain management; (iii) the use of third party data centres; and (iv) the application of the Network Security Guidance to smaller communications providers;
    • how risks can be best identified and appropriate information made available to end users;
    • whether additional guidance needs to be provided on network availability and the provision of related consumer information;
    • whether it would be helpful for Ofcom to clarify its expectations around the reporting requirements under the Network Security Guidance where wholesale and over the top arrangements are in place, and concerning fault monitoring more generally;
    • views on the appropriate reporting thresholds for incidents relating to: (i) smaller providers; (ii) mobile networks; (iii) data services; and (iv) services that suffer partial failures; and
    • whether the process for reporting significant incidents under the Network Security Guidance needs to be revised?

    The implications of Ofcom’s approach to this updated guidance could have serious ramifications for a number of organisations operating in the telecommunications industry, as well as companies that manufacture and sell goods and services to communications providers.  Ofcom acknowledged when it first issued its Network Security Guidance that larger public communications providers have been managing security and reliability concerns from a commercial perspective long before the Network Security Requirements were imposed.  In contrast smaller public communications providers are unlikely to have the experience or resources to implement the compliance processes needed to comply with the current Network Security Guidance. 

    The manner in which communications services are provided makes it very difficult to apply differing standards of security to different communications providers as any weaknesses in the chain could jeopardise the larger network ecosystem.  Depending on the approach taken by Ofcom, compliance with the Network Security Guidance by smaller public communications providers could impose a disproportionate burden on such providers and harm their ability to compete with the large public communications providers going forward.  Ofcom will therefore need to carefully balance these factors when proposing updates to the Network Security Guidance, and their application to smaller public communications providers.

    Any changes in the Network Security Guidance may also need to be flowed through to security providers by public communications providers where the provision and management of network security and reliability is outsourced.  This could raise a number of issues. First, whether any outsourcing provider will be willing to provide sufficiently strong assurances that the public communications provider’s network security and reliability will comply with the updated Network Security guidance.  Secondly, where assurances can be obtained from the outsourcing provider, the cost of providing such additional protections. Lastly, whether it will be possible to implement the required changes if the security and resiliency requirements have been offshored by the outsourcing provider.  Ultimately, any costs associated with changes in the Network Security Guidance, where the services are outsourced, are likely to fall on the communications provider, as even in aggressive outsourcing contracts, technological changes that are required as a result of general changes in law are unlikely to be provided by the outsourcing provider without cost implications. 

    One specific area of outsourced service provision that Ofcom has focused upon in the call for inputs is the provision of data centre services. Ofcom is considering updating the Network Security Guidance to require specific measures to be put in place to ensure appropriate physical levels of security be maintained by data centre providers.  However, this raises the question as to how much leverage communications providers have over the data centre providers and whether these obligations should be imposed directly on the data centre providers by Ofcom or the UK Government. 

    There could also be implications for equipment manufacturers and providers arising from any updates to the Network Security Guidance.  Depending upon the approach taken by Ofcom, the introduction of specific communications network security and reliability standards could require changes and/or upgrades to the equipment being provided to the industry.  Again, the costs of such changes and/or upgrades are likely to be borne by the public communications providers.

    Ideally, Ofcom would like to make reference to a security standard governing the security and reliability of communications networks and services.  However, at present no such standard exists that maps directly to the Network Security Requirements, although a number of standards are referenced within the Network Security Guidance (ISO 27002, ISO 27011 and NICC ND1643).  Ofcom also makes reference to ENISA’s “Technical Guidelines on Security Measures” and the benefits of introducing a harmonised approach to security across the EU.  Ultimately, Ofcom wants to better understand the industry’s views on the application of the above standards (and/or others) better and whether it would be possible to create a standard that maps specifically to the network security and reliability risks faced by public communications providers that communications providers could be audited against.

    The closing date for responses to Ofcom’s call for inputs on updates to its guidance on network security is 21 February 2014 with industry stakeholders encouraged to provide their feedback generally, as well as specifically on the questions raised by Ofcom.  It is not clear how far Ofcom is willing to go to protect consumers, and to ensure the security/reliability of public communications providers networks, when it updates the Network Security Guidance.  However, it is clear that a very delicate balance will need to be achieved to ensure that Ofcom does not impose additional costs on communications providers that could distort the competitive dynamics of the market place.  Public communications providers, data centre operators and equipment vendors should therefore consider responding to the call for inputs.

    For more information contact

    < Go back

    Print Friendly and PDF
    Subscribe to e-briefings