‘Big fines if you don’t comply with the TSA’ is a common mantra you’ll hear from those selling TSA compliance to providers of public electronic communications networks and services (PECN and PECS), but what part does the Telecommunications Security code of practice (code of practice) play in the wider Telecommunications Security Framework?
What is the code of practice?
The code of practice is a document which contains the following items:
- Section 1 – Introduction and background
- Section 2 – Key concepts
- Section 3 – Technical Guidance Measures
- Annex A – Glossary of terms
- Annex B – Vendor Security Assessment
- Annex C – Extracts from the Cyber Assessment Framework (Relevant CAF)
In essence, the following infographics show the spread of the code of practice requirements (the Vendor Security Assessment is not included in this analysis as it is not mandated to be used to achieve compliance).
Now there are those who stay within the Technical Guidance Measures, and then look to create definitions as a community. The question is – does this matter?
In order to answer this question, we need to review the legal status of the code of practice.
===Note, none of the following is intended to be legal advice as I am not a legal professional. I am merely reading this based on what I understand of the legislation related to the Telecommunications Security Framework and case law I have read===
How was the code of practice created?
Within section 105E of the Telecommunications Security Act 2021 (TSA 2021), which is now in the current amended Communications Act 2003 (Comms Act), the construct of the code of practice itself is specified and requires that the Secretary of State:
- issue codes of practice giving guidance as to the measures to be taken under sections 105A to 105D by the provider of a public electronic communications network or a public electronic communications service;
- revise a code of practice issued under this section and issue the code as revised;
- withdraw a code of practice issued under this section.
Within section 105F, the Secretary of State must:
- Publish a draft of the code (or any revision)
- Consult with Ofcom and the providers of PECN/PECNs
- Amend the code of practice after consultation
- Lay the draft code of practice before parliament and allow parliament 40 days to review/amend it
- Publish the code of practice once approved by parliament
The latter two steps are not usual for a security framework, which is the reason why this document (the code of practice) has a special status under the TSA 2021 and the Comms Act (as amended by the TSA 2021).
What is the code of practice?
It should be reiterated that the code of practice is guidance, with section 105H(1) stating that:
A failure by the provider of a public electronic communications network or a public electronic communications service to act in accordance with a provision of a code of practice does not of itself make the provider liable to legal proceedings before a court or tribunal.
Section 105H(2) makes it clear what would need to be considered by a court or tribunal:
In any legal proceedings before a court or tribunal, the court or tribunal must take into account a provision of a code of practice in determining any question arising in the proceedings if—
(a)the question relates to a time when the provision was in force; and
(b)the provision appears to the court or tribunal to be relevant to the question.
This means that the code of practice will be reviewed by a court or tribunal, and what is within the code of practice matters.
Paragraph 0.17 within section 1 of the code of practice states that the code of practice provides detailed technical guidance to public telecoms providers on the measures to be taken under sections 105A to 105D of the Act. The processes for issuing, revising and withdrawing codes of practice are set out in new sections 105F and 105G of the Act and the legal effects of codes of practice are detailed in section 105H.
What’s the impact of what’s written in the code of practice?
The challenge here is that the statement within the code practice makes it detailed technical guidance to be taken, and not detailed technical guidance that can be taken – in other words, the wording within the code appears to state that what is in the code has to be done.
However, paras 0.18 and 0.19 build on the point that within section 105H stating:
0.18 The guidance set out in this code of practice is not the only way for providers to comply with the new security duties and specific security requirements that have been placed into law. We appreciate that where the regulations require public telecoms providers to take ‘appropriate and proportionate’ measures, what is appropriate and proportionate will depend on the particular circumstances of the provider.
0.19 A public telecoms provider may choose to comply with those new security duties and specific security requirements by adopting different technical solutions or approaches to those specified in the code of practice. When they do so, Ofcom may require the provider to explain the reasons why they are not acting in accordance with the provisions of the code of practice in order to assess whether they are still meeting their legal obligations under the security framework. Providers are obliged to explain those reasons to Ofcom under section 105I of the Act, where Ofcom has reasonable grounds for suspecting the public telecoms provider is failing or has failed to comply with the code of practice.
It’s interesting the wording used above, as it now softens the mandatory nature of the code, specially when you look at the implementation timelines within para 0.25 which states:
Whilst the security duties, requirements in regulations and Ofcom oversight powers that form the new telecoms security framework came into force on 1 October 2022, it would not be proportionate to expect public telecoms providers to be in a position to meet all their obligations from that date. Instead, specific recommended compliance timeframes for individual measures are contained within this code of practice. These are the timeframes by which providers would be expected to have taken relevant measures set out in the code of practice, whilst recognising that due to the existing threat environment, the quicker providers are able to implement measures the better.
This language means that the compliance timeframes are not set in stone, but also that you have to make judgments on your ability to manage the outcomes in the code.
Paragraph 1.1 within section 2 makes it clear that certain terms within the code of practice detail where there is likely to be one or more ways of complying with the guidance (i.e. some are more flexible than others). This is important as the wording used would form part of any judgement by a court or tribunal in the event legal proceedings. It also important to acknowledge the status of the key concepts, whereby there are certain key concepts that are relevant to the guidance measures set out in this code of practice and requirements contained in the regulations. It is important that all public telecoms providers fully understand these key concepts as it will enable them to properly meet the intent of the security requirements.
Summary
The reality is that the code of practice is required under law to provide detailed technical guidance as to the measures (which are the duties and specific security measures from the act and regulations), consult on them and make sure that parliament approves them. It’s also clear that that failure doesn’t mean an automatic penalty, but the code of practice is something that a court or tribunal would review in the event that a court case was brought for non-compliance. Any review of the code of practice would look at what is written within it, so you need to be clear regarding what your interpretation is of the provisions within the code of practice.
However, it also means that decisions taken outside of the code of practice require careful review if they start to influence the compliance outcomes in a manner that might be deemed inconsistent with the initial intent of the security framework. In order to understand this further, I recommend you read the thought process of Justice Lang in the first judgement relating to Vicarious Liability between Various claimants and Morrisons. It shows the extent to what is written and available at the time would be subject to scrutiny, and careful heed should be taken to complying to what’s written in the security framework.