Key Facts

• The amendment is designed to probe how the Government ensures network operators audit their equipment for security risks.
• Some of the equipment in networks may now pose security issues even though it was introduced years ago without apparent risk.
• The Cabinet Office was aware of BT’s contract with Huawei since 2003 but only informed Ministers in 2006.
• The Telecommunications (Security) Bill aims to establish clear responsibilities for operators.
• Ofcom must provide clear guidance on what is expected of operators regarding national security.
• Intelligence agencies like GCHQ inform operators about potential security threats.
• The Government has published an early draft of the security regulations.
• Regulation 3(3)(a) includes a duty for network providers to identify, record and reduce risks of security compromises.
• Clause 19 enables Ofcom to carry out surveys on specific networks or services when directed by the Secretary of State.
• Clause 23 allows the Secretary of State to require information about a provider’s use of goods, services or facilities supplied by a particular person.
• Clause 2 places a duty on providers to take measures in response to security compromises.
• Proposed new section 105C sets out the general duty, while proposed new section 105D gives powers for specific regulations.
• Draft regulations have been published and will be reviewed regularly to adapt to changing technology and threats.
• Amendment 6 aims to require consultation with the National Cyber Security Centre (NCSC) on draft codes of practice.
• Amendment 10 requires the Secretary of State to consult the NCSC before issuing a code of practice about security measures.
• Amendment 5 seeks to ensure that providers inform both Ofcom and NCSC of any security compromise.
• The Bill comprises three layers: overarching security duties, specific security requirements in secondary legislation, and detailed technical security measures in codes of practice.
• Clause 3 provides the Secretary of State with power to issue and revise codes of practice.
• Under section 19 of the Counter-Terrorism Act 2008 and new section 105L of the Communications Act 2003, Ofcom can share information about security incidents with the NCSC.
• Ofcom and the NCSC will publish a statement outlining their respective roles.
• Tier 1 contains large national-scale public telecoms providers.
• Tier 2 covers medium-sized public telecoms providers.
• Tier 3 includes small businesses and micro-enterprises.
• The code of practice will be based on technical analysis by the NCSC.
• The legislation places a duty on telecoms providers to meet strictures of a code of practice.
• New section 105J requires providers to inform users about significant risks of security compromises in clear language.
• Ofcom is required under new section 105L to share information about serious security compromises with the Government.
• Clause 4 aims to clarify operators' responsibilities regarding cybersecurity and consumer protection.
• The TalkTalk case is cited as an example where poor security led to a data breach affecting many individuals.
• New section 105J requires providers to take reasonable steps to inform users about the risk, nature of the security compromise, and steps they can take in response.
• Potential overlap exists in communication responsibilities between regulatory bodies.
• Clarity of communication is a focus to prevent duplication.
• Coordination is expected to be established to avoid sending notifications to 2 million people twice.
• BT sold a portion of its network to Huawei without informing regulators until two years later.
• Network assessments are complex due to overlapping networks, equipment ages, and software considerations.
• The amendment encourages ongoing communication between providers and Ofcom to address security issues proactively.
• Dr Drew testified that proactive involvement by providers in notifying changes is sensible.
• Andrea Donà emphasized the need for clear understanding and collaboration between Ofcom and telecoms providers before enforcement.
• Chi Onwurah supports an amendment to ensure network providers notify Ofcom about planned or actual changes.
• Matt Warman asserts the Bill's current form strikes a balance between proportionate regulation and national security requirements.
• Section 135 of the Communications Act 2003 allows Ofcom to require information from providers regarding future developments that could impact network security.
• The amendment restricts 'another person' to a UK government agency or person from such an agency.
• It caps individual security assessment costs for Ofcom at £50,000.
• Chris Matheson highlights concerns about conflicts of interest and potential misuse of private contractors.
• The clause provides Ofcom with strengthened powers including powers to give assessment notices.
• A hard cap of £50,000 on costs could potentially hinder necessary extensive testing.
• Providers' duty to bear costs will incentivise good security practices.
• The amendment would limit Ofcom to using public sector organisations for security assessments.
• Matt Warman argues that this limitation could constrain Ofcom's ability to access necessary expertise and incur appropriate costs.
• Chris Matheson withdraws the amendment after the debate.
• Amendment 13 aims to give Ofcom the power to request reports on supply chain diversity.
• Clause 6 amends the Communications Act 2003 to insert section 105N, giving Ofcom powers to assess compliance with security duties.
• The amendment highlights the risk of monopoly in secure supply chains and supports open RAN as a solution for diversification.
• The Telecommunications (Security) Bill includes an initial tranche of £250 million investment to diversify UK networks.
• Section 135 of the Communications Act 2003, as amended by clause 12, provides Ofcom with powers to gather information on network security.
• Clause 12 allows Ofcom to collect data concerning future developments that could impact network security.