ISP industry blasts UK Telecoms Security Bill for vague requirements, high costs of compliance

Introduced last year by the Department for Digital, Culture, Media and Sport (DCMS), the UK's Telecommunications Security Bill aims to change how mobile and fixed-line communications systems are built and operated.

The bill is a recognition of the importance of comms networks to national security, and was largely spurred by the growing use of equipment from so-called "high risk" vendors, namely Huawei and ZTE.

But the reception from networks has been lukewarm. Although ISPs and mobile networks recognise the importance of ensuring the integrity of the nation's communications infrastructure, the devil very much lurks in the details. The wholesale overhaul proposed by the Telecoms Security Bill would result in high costs for operators, who would be forced to rip and replace existing equipment, potentially disrupting ongoing network upgrades.

But it's not just the cost of new infrastructure keeping operators up at night. In January, DCMS published a draft statutory instrument [PDF] that defined in greater detail what obligations operators would face for monitoring and securing networks, ostensibly for the purpose of identifying cases of intrusion and compromise.

One proposed requirement states network providers must "take proportionate measures" to monitor transiting connections "for the purpose of identifying anomalous activity." Expanding upon this, it defines a requirement to "maintain a record of all access" to the network for 13 months.

This requirement has provoked alarm in the ISP industry. In a response to the draft statutory instrument obtained by this publication, the Internet Service Provider's Association (ISPA) described these data retention requirements as "unclear" and "disproportionate."

"It is not clear exactly what level of data will need to be recorded in order to meet these requirements beyond excluding the content of signals," it said. "For example, is it aimed at holding data on end-user access to services, internal access logs, or internet connection records?"

This vagueness, it said, prevents the industry from providing the government with information on the feasibility of implementing the requirement, as well as the costs it may incur from doing so.

Other proposals may have the ironic effect of undermining network security, rather than fostering it. The statutory bill would require networks to "prevent activities that unreasonably restrict monitoring, analysis and investigation."

As currently written, it's hard to see how this requirement can co-exist with encryption.

"[This requirement] has potentially wide-ranging consequences, particularly as there are ongoing changes to encrypt various layers of the internet architecture. We require more detail on what action would be required from providers to comply with this section before we can provide an assessment of its impact," ISPA said.

Founded in 1995, ISPA is a trade body representing fixed-line network providers in the UK. Its members include Virgin Media, BT, Community Fibre, Openreach, and Nominet among others and it lobbies government on behalf of commercial entities.

The commentary from ISPA also notes that monitoring requirements already exist, including through the Investigatory Powers Act. Passed in 2016 to the dismay of privacy advocates, the IPA's requirements, as well as the mechanisms in which data can be accessed by a government body, are well defined. It also includes a framework in which ISPs can recover the costs associated with complying with the act.

That level of detail is conspicuously absent from the proposed Telecoms Security Bill statutory instrument. In its response, ISPA expressed concern that forcing ISPs to retain data beyond their existing obligations would stymie competition, with the additional costs potentially hampering the ongoing rollout of nationwide gigabit connectivity.

While ISPA would like to see additional clarity from DCMS on what data ISPs would be obligated to record, financial support also ranks highly on its wish list. "If the regulations are looking to impose similar or even remotely similar obligations [to the Investigatory Powers Act], an equivalent [support] framework should apply. This should include financial compensation and assistance to meet the obligations."

In a separate response to the statutory instrument [PDF], ISPA also urged the government to create a scheme that would reimburse smaller fixed-line network operators for their costs in removing high-risk vendors, similar to that offered by the US's Federal Communications Commission to smaller rural neworks.

"The full impact of the [high risk vendor] restriction policy on fixed fibre networks is still being determined," it said. "There are a large and diverse number of companies involved in providing an often-interlinked range of networks and services to end users. Some of these will be SMEs that lack the same level of compliance and financial support as others in the industry."

So far, the main focus of the rip-and-replace mandate has been cast on 5G wireless operators, who are forced to shoulder their own costs. DCMS has said it expects the cost of removing existing Huawei-made 5G equipment to be £2bn. Separately, BT has said it will spend around £500m to remove Huawei-made equipment from its 5G and fixed-line networks.

Additionally, some have expressed fears that this could also hamper economic growth and competitiveness. One report from the Centre for Policy Study claimed the UK could lose out on £41bn in economic output should carriers experience significant delays in rolling out 5G.

Another report from analyst firm Assembly, and commissioned by Huawei, placed that figure at £18.2bn should the 5G rollout be delayed by three years.

Industry-wide concerns

The concerns expressed by ISPA have been shared by other industry players. A response [PDF] written by the Internet Telephony Service Providers' Association (ITSPA) describes the current wording as giving the Secretary of State for Digital a "mandate to dictate the technological direction" of networks with little oversight. This "unfettered" power would be a reversal from the light-touch approach to regulation taken by previous governments, it added.

ITSPA, which includes RingCentral and Zen Internet as members, urged the creation of an oversight regime. Requirements imposed on ISPs would be forced to meet a double-lock test. The first "lock" examines the proportionality of a measure, with the prospect of price inflation explicitly named as a factor of consideration. The second test would examine whether any compliance regime would unfairly disadvantage certain players, and thus have a distorting effect on the market.

techUK, a nonprofit industry group that counts Red Hat, Verizon, and Barclays as members, echoed the concerns [PDF] raised by ISPA with respect to the overall lack of clarity on the finer details of how this regulatory environment would work, as well the absence of any financial support for compliance. This, it said, is disproportionate given the cost that will be incurred by the bill's rip-and-replace mandate.

"Given the costs of compliance and removal of high-risk vendors, techUK believes that industry should not be required to fund the enforcement regime for example," it said.

Considering the ongoing lobbying efforts to amend the language in the statutory instrument, ISPs were reluctant to publicly condemn the legislation. One ISP insider told The Register: "There are concerns in industry that the government is using the debate about High Risk Vendors to adopt a heavy-handed approach to the market.

"They're telling businesses what they can and can't buy, intervening in mergers, proscribing how to run operations, and dictating how to monitor networks, without fully understanding the impact on the sector or putting the necessary safeguards and support in place, or debating this in public as you would expect. It seems a strange way to support a sector so crucial to our recovery from the pandemic."

ISPA chair Andrew Glover told us: "Security is a priority for the ISP industry and we have been working closely with members and government to scrutinise the duties in the Telecoms Security Bill. We will continue to push to ensure that the measures are proportionate and workable."

DCMS sent us a statement:

"The security of our telecoms networks is paramount and it is vital that we bring in tough new security standards to protect them for the future.

"We understand many organisations will have views and once the Bill becomes law we will launch a consultation on the draft code of practice and carefully consider the responses of all those affected." ®