DCMS launches public consultation on telecommunications security • The Register

As the world watches Ukraine, the UK government has quietly dropped the requirement for mass surveillance of UK internet users by their service providers.
A public consultation on the Electronic Communications (Security Precautions) Regulations 2022, currently in draft, has revealed that a controversial plan to reinstate monitoring of internet login records has been scrapped after ISPs rejected it.
The latest version of the regulations, released this week, now says the 13-month logging requirement only applies to the monitoring of “critical security functions” of telecom carrier and ISP networks.
In a draft code of practice published at the same time, there is a clear explanation that the legally required monitoring is intended to assist “post-incident analysis and other similar activities”.
“Network equipment logs in security-critical functions must be fully recorded and made available for auditing for 13 months,” the code explained. Large ISPs have until 2025 to implement such logging, while smaller companies have five years to upgrade.
The broader consultation covers security as a whole, ranging from supply chain (a coded reference to Huawei and other Chinese vendors) to network security of the familiar type to Register readers.
“This consultation aims to obtain informed opinions from Ofcom, network and utility providers, and those who may have experience in these matters,” says the consultation page on GOV.UK.
The news will come as a relief to the public; when the 13-month requirement was first raised last year, the language was significantly looser and risked introducing a new layer of mass population surveillance. The dismay of the professional body ISP Association (ISPA) has led to a change in legislative language that will undoubtedly make it easier to deploy targeted security measures for a positive purpose that all can agree on. Rather than, say, using security as a fig leaf to harm users by creating even larger stores of data about their internet usage history.
Warren O’Driscoll, head of security consulting at management consultancy NTT DATA UK, said in a statement: “There is still uncertainty about the final measures, and it is likely that operators of telecommunications will fall back on the most difficult or the most expensive. aspects of implementation.
He continued: “While a few operators might be tempted to drag their feet or do the bare minimum until this legislation officially comes into force, concerted action is needed across the industry to increase its overall maturity. in security, especially given the ever-evolving nature of cyber threats Regulations can often lead to tick box behaviors, with companies paying lip service to regulations or adopting band-aid approaches .
In a statement, the Department for Digital, Culture, Media and Sport (DCMS) said its consultation was “seeking advice on plans to place telecommunications providers into three ‘tiers'” after the Last year’s telecom supply chain review told officials that smaller operators are less worried. on security than the government would like.
“Businesses that fail to comply could face fines of up to 10% of turnover or, in the event of continued breach, £100,000 per day,” the department blasted.
As is current legislative fashion, Ofcom, which apparently already does everything from internet censorship to radio spectrum licensing to enforcement of TV advertising standards laws, will monitor and assess also now the security posture of telecommunications providers.
Dr. Ian Levy, chief technician at the National Cyber Security Center (NCSC), said in a canned statement: “As our reliance on [telecoms networks] develops, we need confidence in their security and reliability, which is why I welcome these regulatory proposals aimed at fundamentally changing the basis of telecommunications security. »
Cisco last year blew the lid on the proposed early-stage changes by releasing details of how it would comply with what was known at the time as the Vendor Annex, a document written by the NCSC explaining precisely what the government wants to see from suppliers supplying the telecommunications market. ®