Britain's Telecoms Security Bill will be accompanied by a detailed code of practice containing 70 specific security requirements for telcos and their suppliers to meet, The Register can reveal.
Introduced as part of 2019-20's "ban Huawei immediately" panic, the bill includes provision for £100k-a-day fines.
Now El Reg can reveal more about the detailed requirements due to be imposed on the industry, thanks to Cisco publishing a detailed paper [PDF] explaining how it already complies with UK.gov and National Cyber Security Centre requirements. That paper is a response to a document called the Vendor Annex, an NCSC-authored technical bolt-on to the main bill.
"We expect that the way it will work is there will be some expectation that the operators will be obliged to do much more scrutiny when they go through their procurement exercises with telco vendors," Cisco's UK&I national cybersecurity advisor, Mark Jackson, told The Register.
- ISP industry blasts UK Telecoms Security Bill for vague requirements, high costs of compliance
- 'Set it and forget it' attitude to open-source software has become a major security problem, says Veracode
- Oh dear. Secret Huawei enterprise router snoop 'backdoor' was Telnet service, sighs Vodafone
- Huawei savaged by Brit code review board over pisspoor dev practices
Jackson added that many of the requirements in the bill and the Vendor Annex could be satisfied through provision of a software bill of materials (SBOM), though that specific term isn't mentioned. SBOMs as a security management concept have come in for some criticism recently because they could create the illusion that picking (for example) one specific software library and saying "job done, it's secure" doesn't set the expectation that the library will need updating in future.
This kind of problem was endemic in Huawei's mobile network equipment firmware, as NCSC's Huawei examination cell revealed in 2019. The Chinese firm was, among other things, using "70 full copies of 4 different OpenSSL versions" which contained 10 "publicly disclosed" vulns, some "dating back to 2006".
Referring to the TSB, Cisco's Jackson illustrated the SBOM problem from the vendor's perspective:
There's always that risk that customers come to you and say, I can't possibly buy your product, because you've got maybe one version out of date of OpenSSL. It might not be vulnerable, but... it's out of date, therefore it must be bad. And you then end up with a really difficult conversation from a commercial perspective as to how you manage those things and get down to the pragmatic risk management of these things.
Other key inclusions in the Vendor Annex include provision of secure boot, security testing (including specific mentions for fuzzing and negative testing) along with a specific requirement that there are "no undocumented administrative mechanisms", something that's caught Cisco out in the past among others.
The Internet Service Providers' Association declined to comment on the current state of the Vendor Annex, as did the National Cyber Security Centre. While the document will be undergoing more revisions over the coming months, the TSB's proposed requirement to log 13 months of "all access" to networks by users will continue to worry privacy and security advocates alike. ®