Factsheet 4: Ofcom and Telecoms Security
Published 24 November 2020
What is Ofcom going to do?
Ofcom is the UK’s communications regulator. It will monitor, assess and enforce compliance with the new telecoms security framework that will be established by the Telecommunications (Security) Bill. Ofcom will also have a role in monitoring compliance with new controls on the use of high risk vendors, when issued with a monitoring direction, gathering the evidence needed for the Secretary of State to enforce those controls.
How is Ofcom going to do it?
Monitoring and enforcement of compliance with the new telecoms security framework
The Telecommunications (Security) Bill will strengthen the security and resilience of UK telecoms networks and services by imposing new legal duties on public telecoms providers. The Bill will provide Ofcom with a general duty to ensure providers comply with their new security duties. Ofcom will be responsible for monitoring compliance and will be given enforcement powers to take action where providers are not meeting their obligations. Ofcom will publish guidance to explain how it will carry out its new role.
Ofcom’s new powers and responsibilities will enable it to:
-
Proactively assess the security practices of larger telecoms providers. All public telecoms providers will need to comply with new security obligations. Ofcom will closely engage with larger telecoms providers to ensure that they are meeting their security duties. Ofcom’s powers to verify compliance will include requesting and reviewing relevant information, interviewing technical and management staff and observing work on company premises. Industry will be consulted on the best way to practically and efficiently implement this approach. Ofcom will also work with larger telecoms providers to complete ‘penetration testing’ that will simulate hostile cyber attacks. In assessing compliance with the new framework, Ofcom will take account of any security codes of practice issued by the Secretary of State.
-
Take action where security is, or is at risk of being, compromised. Security compromises can be very damaging, so public telecoms providers need to make every effort to prevent them. If Ofcom thinks there has been, or is an imminent risk of, a serious security compromise, it will be able to require a telecoms provider to take interim steps while it investigates further. The new framework will also include tougher obligations on telecoms providers for incident reporting. Where Ofcom considers that there has been a security compromise or there is risk of it occurring, Ofcom can share this information with the people directly affected, other companies, the government and overseas regulators. Alternatively Ofcom can require the relevant telecoms provider to inform the affected people and businesses. Ofcom will have the power to require providers to take action to limit or mitigate the impact of any incident. Where legal duties are not met, Ofcom will have the power to investigate and where there is a breach, impose tough fines in proportion to the breach ranging up to 10% of annual turnover.
-
Make information available to the government and provide annual security reports to the government. Understanding the security and resilience of the UK’s telecoms networks and services is vital to making sure that the overall security framework is fit for purpose. Ofcom will provide specific annual security reports to the government, in addition to updates on general network security and resilience as part of their existing infrastructure reports. These annual reports will set out how far telecoms providers are complying with new security obligations and acting in accordance with the codes of practice, any action that Ofcom has taken in response to security compromises and any particular risks that it has become aware of. The government will be able to publish these reports, or extracts from them, and Ofcom will be able to publish relevant information. Ofcom will also use new and existing legal routes so that necessary information (including in relation to industry compliance with the framework) can be shared with the government. This information sharing will support ongoing policy development in relation to telecoms security, including identifying new threats and vulnerabilities. It will also ensure that the telecoms security requirements in secondary legislation and the codes of practice are based on the latest information.
Ofcom will work closely with the government and the National Cyber Security Centre (NCSC) when carrying out its new responsibilities. The NCSC will provide future updates on best practice for technical security measures. The government will include any new or revised measures as appropriate in updated versions of Codes of Practice. The government will also keep the legal framework under review and may update it based on the reports and feedback it receives from Ofcom.
Monitoring compliance with designated vendor directions
The government will need to monitor whether public communications providers are complying with any requirements imposed on their use of designated vendor goods, services and facilities. In order to ensure the Secretary of State has the information needed to make a compliance assessment, the Secretary of State will be able to give monitoring directions to Ofcom, which can require Ofcom to gather information relevant to the Secretary of State’s assessment of a provider’s compliance with a direction and to provide such information in a report to the Secretary of State. In response to a monitoring direction, Ofcom will be able to use its information gathering powers. These will include the ability to issue ‘inspection notices’ in specified circumstances to telecoms providers which, among other things, can impose a duty on a provider to survey its network, make staff available for interview or allow an authorised person to observe network operations.
How will Ofcom meet the costs of its new role?
Ofcom is funded through various sources, including administrative fees charged to companies it regulates and spectrum management fees charged to companies using the airwaves. Ofcom’s annual budget is approved by its Board and must be within a limit set by the government. This will be adjusted to take account of the increased costs of carrying out its enhanced security role.