While the world watches Ukraine, the British government has quietly dropped a requirement for mass surveillance of UK internet users by their service providers.
A public consultation on the Electronic Communications (Security Measures) Regulations 2022, currently in draft, revealed that a controversial plan to bring back internet connection records monitoring has been deleted after pushback from ISPs.
The latest version of the regulations, published this week, now says that the 13-month logging requirement applies only to monitoring “security critical functions” of telcos and ISP networks.
Contained in a draft code of practice issued at the same time is a clear explanation that the legally required monitoring is intended to help “post-incident analysis and other such activity.”
“Logs for network equipment in security critical functions shall be fully recorded and made available for audit for 13 months,” explained the code. Large ISPs have until 2025 to implement such logging, while smaller outfits have a full five years to get themselves up to speed.
The wider consultation looks at security overall, ranging from the supply chain (a coded reference to Huawei and other Chinese vendors) to network security of the type familiar to Register readers.
“This consultation seeks informed views from Ofcom, providers of public networks and services, as well as those who may have experience in these matters,” says the consultation page on GOV.UK.
The news will come as a relief to the public; when the 13-month requirement was first raised last year, the language was noticeably looser and risked introducing a fresh layer of mass population surveillance. Dismay from trade body the ISP Association (ISPA) led to a change of legislative language that will doubtless make it easier to deploy targeted security measures for a positive goal all can agree on. Rather than, say, using security as a fig leaf to harm users by building yet more vast data stores about their internet usage history.
Warren O’Driscoll, head of security consulting at management consulting firm NTT DATA UK, opined in a statement: “There is still uncertainty about what the final measures will be, and there is likely to be pushback from telcos on the most challenging or costly aspects of implementation.”
He continued: “While a few operators may be tempted to drag their heels or do the bare minimum until this legislation comes formally into effect, concerted action is needed across the industry to increase its overall security maturity, especially given ever-evolving cyber threats. Regulations can often drive tick box behaviours, with business paying lip service to regulations, or taking ‘sticking plaster’ approaches.”
In a statement the Department for Digital, Culture, Media and Sport (DCMS) said its consultation “seeks views on plans to place telecoms providers into three ‘tiers'” after last year’s Telecoms Supply Chain Review revealed to officials that smaller operators are less worried about security than government would like.
“Companies which fail to comply could face fines of up to 10 per cent of turnover or, in the case of a continuing contravention, £100,000 per day,” boomed the department.
As is the current legislative fashion, Ofcom, which apparently already does everything from internet censorship to radio spectrum licensing to enforcing TV ads standards laws, will also now monitor and assess the security posture of telecoms providers.
Dr Ian Levy, chief techie at the National Cyber Security Centre (NCSC), said in a canned statement: “As our dependence on [telecoms networks] grows, we need confidence in their security and reliability which is why I welcome these proposed regulations to fundamentally change the baseline of telecoms security.”
Last year Cisco blew the lid on the proposed changes at an early stage by publishing details of how it would comply with what was known at the time as the Vendor Annex, a detailed, NCSC-authored document explaining precisely what the government wants to see from vendors supplying the telco market. ®