Britain’s Telecoms Security Bill will be accompanied by a detailed code of practice containing 70 specific security requirements for telcos and their suppliers to meet, The Register can reveal.
Introduced as part of 2019-20’s “ban Huawei immediately” panic, the bill includes provision for £100k-a-day fines.
Now El Reg can reveal more about the detailed requirements due to be imposed on the industry, thanks to Cisco publishing a detailed paper [PDF] explaining how it already complies with UK.gov and National Cyber Security Centre requirements. That paper is a response to a document called the Vendor Annex, an NCSC-authored technical bolt-on to the main bill.
“We expect that the way it will work is there will be some expectation that the operators will be obliged to do much more scrutiny when they go through their procurement exercises with telco vendors,” Cisco’s UK&I national cybersecurity advisor, Mark Jackson, told The Register.
Jackson added that many of the requirements in the bill and the Vendor Annex could be satisfied through provision of a software bill of materials (SBOM), though that specific term isn’t mentioned. SBOMs as a security management concept have come in for some criticism recently because they could create the illusion that picking (for example) one specific software library and saying “job done, it’s secure” doesn’t set the expectation that the library will need updating in future.
This kind of problem was endemic in Huawei’s mobile network equipment firmware, as NCSC’s Huawei examination cell revealed in 2019. The Chinese firm was, among other things, using “70 full copies of 4 different OpenSSL versions” which contained 10 “publicly disclosed” vulns, some “dating back to 2006”.
Referring to the TSB, Cisco’s Jackson illustrated the SBOM problem from the vendor’s perspective:
Other key inclusions in the Vendor Annex include provision of secure boot, security testing (including specific mentions for fuzzing and negative testing) along with a specific requirement that there are “no undocumented administrative mechanisms”, something that’s caught Cisco out in the past among others.
The Internet Service Providers’ Association declined to comment on the current state of the Vendor Annex, as did the National Cyber Security Centre. While the document will be undergoing more revisions over the coming months, the TSB’s proposed requirement to log 13 months of “all access” to networks by users will continue to worry privacy and security advocates alike. ®