Good as far as it goes but perhaps a better option would be to require regular security audits by an OfCom appointed auditor. Or alternative might be some kite-mark style accreditation for comms companies, those claiming to offer security services etc (a couple of companies currently in the news here would serve as examples) based on 3rd party auditors. Given the prevalence of things like hard-coded credentials it seems that securing critical infrastructure can't be left to those who run it and users/customers need to have the ability to see for themselves just what state it's in.
UK proposes new powers for comms regulator to legally unleash avenging hordes on security-breached telcos
Britain's Telecommunications Security Bill will allow anyone to sue their telco if they suffer "loss or damage" as a result of a system breach – but only if they get Ofcom's permission. The far-ranging proposal is in the new bill, which was introduced to Parliament back in November amid lots of government boasts of a crackdown …
Wednesday 16th December 2020 13:58 GMT Jellied Eel
Good as far as it goes but perhaps a better option would be to require regular security audits by an OfCom appointed auditor.
I think it's very bad, but you make a good suggestion.
I think it's bad because of the risk, and potential penalties. Over the decades I've had some interesting conversations around consequential losses vs contracted compensation. Generally those revolve around risk, ie what happens if/when the network goes down or events like DDOS or hacking. And generally that lead to mitigating those risks by changing the design. But obviously that increases the cost of the design to something rather more substantial than the cost of the xDSL circuits the client thought they could run their business on.
Worst example was the proposed fire control service consolidation where the bidder I was working with wanted xDSL to fire stations. Or 'fully diverse xDSL'. Bidder was one of the big name consultancies, yet didn't understand how the technology worked. Luckily for the fire service, that idea was canned.
But in other jobs where clients have demanded non-standard penalties, the solution's been fairly simple. Calculate an estimate for the number of outage events we'd expect over the contract, the penalties for those events, and add that into the fee schedule. And if penalties were particularly high, buy insurance against those charges and add the cost of that into the contract.
Obviously that makes services more expensive, and the network would still go down. But I've never worked on a network where consequential losses were accepted simply because the risk was too high, or the cost of insurance against that risk was too high for the client. But then businesses can & do buy business continuity insurance, or at least the smart ones do.
But TL;DR is the proposal would place enormous risk on service providers, which would then get passed onto it's customers.
But I like your suggestion. If government wants to pass this risk/cost onto service providers, then it should provide 'Best Practice' guidance to industry. If industry doesn't follow that guidance, well, then it takes the risk. Which is something relatively easily done. I've often argued that GCHQ/CESG should provide that Best Practice to industry.. which it partly does, eg the classified guidance for public sector networks. Or thanks to CESG being turned into a revenue generating outfit, it'll sell consultancy. But I've always though that given their role as commsec experts, and risks to UK Plc, their guidance (or at least some of it) should be public.
But there's also an element of the can being kicked down the road & consequential losses being passed onto hardware and software vendors. So Cisco/Juniper publish an advisory & patch due to a vulnerability being detected/exploited. Contractually they carry very little risk, but that could change with enough industry pressure. Which would again increase costs, and still would probably lead to exploits. After all, Cisco's IOS is 30 or so years old, so should be exploit free.. Shouldn't it?
Wednesday 16th December 2020 17:47 GMT IanRS
There used to be an accreditation scheme - CAS(T) - which telecoms providers had to meet if they wanted to sell into the government or public sector markets. This was deprecated when the new Telecoms Security Requirements were announced. Announced, not available, so this was around the middle of last year. The Telecommunications (Security) Act 2019-2021 has now been approved in late November so this sets the requirements. I would assume that there will eventually be an accreditation scheme, but I am not holding my breath.
As a security consultant who often works in the telecoms area, I can foresee a very dull period ahead reading the Bill and trying to work out what the requirements really are. An initial glance through reveals this will not be enjoyable.
Wednesday 16th December 2020 22:11 GMT DevOpsTimothyC
"maximum fine of £2m" may sound good, it wasn't clear if that's why Ofcom can impose or that what I individually could get. If it's everyone covered by a data breach then doesn't Ofcom already already have the much stiffer penalties available to it (£18m or 4% of global turnover which ever is greater, under DPA 2018)?
Monday 21st December 2020 22:13 GMT Anonymous Coward
Adequately secure as long as it's not encrypted I guess.
So usual government crap then...padlocks on the doors, paperwork to track changes, faxes with signatures on, mandatory once a quarter training sessions, preferred suppliers lists and let's not forget the paragraph in the consumer contract that has a clause stating "I agree that the network has been secured to my satisfaction and waive any right to legal action...blah blah blah...accept that X is not liable for blah blah blah etc etc" that nobody will read and just sign off on.
All the old fashioned guff...as long as it's not encryption.
I'm hoping one day there will be laws passed to encrypt all the things...that way it doesn't matter who you buy the kit off because nothing plaintext will flow through it.