With the recent submission to Parliament of the Communications Bill that will give rise to the new Office of Communications (OFCOM), the U.K. is undergoing a dramatic change in the regulation of its communications industries.
Most public debate has focused upon the "content providers" such as the BBC and other broadcasters, but just as important is the role that OFCOM will play in regulating the traditional telecommunications providers, currently under the Office of Telecommunications (Oftel), and the new service providers such as ISPs.
European and U.K. legislation makes data protection and privacy an integral part of the new regulatory regime but to date, information security and assurance have not figured highly in the debate over OFCOM. This may be about to change as information security and assurance rise up the European political agenda. Certain European telecommunications regulators have begun to play a much more interventionist role to ensure high standards of security and assurance; their arguments have not fallen on deaf ears in the U.K.
Information Security Concerns
In the U.K. and Europe, governments, businesses and citizens have become increasingly aware of their critical dependencies on the information infrastructures that underpin modern society. At the same time, it has become evident that consumer trust and confidence are vital to the success of e-business and e-government.
In December 2001, European governments affirmed that: "the security of transactions and data has become essential for the supply of electronic services, including e-commerce and online public services, and low confidence in security could slow the widespread introduction of these services." European governments agreed a number of actions but noted that:
- "There are legal requirements imposed on providers of telecommunication services to take appropriate technical and organizational measures to safeguard the security of their services; these measures shall ensure a level of security appropriate to those requirements."
- "There is a need for individuals, businesses, administrations and other organizations to protect their own information, data and communications systems by deploying effective security technologies."
Possible Regulatory Roles
The legal requirements that exist, or will soon exist, on U.K. communications providers in this area generally stem from legislation on data protection and privacy but there are also expectations that network operators will ensure network integrity. In the past, Oftel has had no significant interest or role in promoting information or network security. The U.K.'s National Infrastructure Security Co-ordination Centre (NISCC) (www.niscc.gov.uk), founded in 1999, has a mandate to assure the government that the nation's critical information networks, including telecoms, are robust enough to withstand attack. NISCC however carries no regulatory stick, nor is it concerned with consumer protection.
The possible roles that a telecoms regulator could play in promoting information and network security were succinctly outlined by a former senior official of the U.S. Federal Communications Commission (FCC) in recent discussions on the topic. The spectrum ranges from:
- no role in information security;
- providing the public with information and raising consumer awareness;
- gathering information and statistics to assist with consumer complaints/naming and shaming operators;
- developing/disseminating best practices and encouraging (via co-regulation) compliance;
- investigating violations and enforcing standards;
- full enforcement of standards and penalties for non-compliance/violations.
That different countries have taken different approaches is evident from a quick glance at other European countries. At one extreme are telecoms regulators in Finland and Switzerland who have taken it upon themselves to ensure that their nation's information infrastructures are well protected against attack. The Finnish national regulatory authority (FICORA), for instance, runs a computer emergency response team (CERT) for the sector and employs a full-time staff of 10 to ensure the security of the information networks. Belgium does not go so far but it has made consumer and citizen protection and awareness a priority. The regulator and the Ministry of Communications have established a virus-alerting system that provides warning and advice to all of the country's Internet users in real-time.
The opposite pole is represented by regulators from countries such as Austria and the Netherlands who argue for maintaining a focus on a national regulatory authority (NRA)'s core business which is, after all, economic and market regulation. It is interesting to note that, in both countries, other public authorities have instead taken a dynamic role in sponsoring initiatives to promote Internet security. In Austria, for instance, the Federal Chancellery is working with ISPs to establish a national CERT. In the Netherlands, the Ministry of Public Works is leading a public strategy to promote security awareness and best practice.
What Role for OFCOM?
There has to date been a reluctance to mandate or legislate security standards, beyond those already built in via data protection legislation. This is unlikely to change in the near future since the U.K. is committed to promoting security through best practice, self-regulation and education initiatives rather than through regulation.
In general, the regulators argue that OFCOM should not be burdened with extra duties such as promoting information security. Nonetheless, as information and network security rise up the political and public agenda in a world that is increasingly dependent upon telecommunications for vital services and e-business, there are three measures that OFCOM should seriously consider.
First, OFCOM will be committed to a co-regulatory approach, with an intention to move towards self-regulation. Users, both corporate and home, will be represented in this co-regulatory regime but it should be OFCOM's role to provide them with the information they need to act. This information needs to extend to quality of service indicators, including network and information security. This will have two purposes: a) stimulate consumer awareness and hence the market in an area in which there is an acknowledged market failure, and b) encourage service providers to adopt best practices against clear benchmarks.
Second, as the Department of Trade and Industry (DTI)'s Information Security Breaches Survey 2002 points out, one reason why U.K. firms do not have adequate information security measures in place is the lack of industry benchmarks and of measures at board level to understand return on investment. Although such standards are gradually emerging in the global marketplace, OFCOM, with its fellow NRAs, is ideally placed to facilitate the emergence of common standards, benchmarks and metrics.
Third, OFCOM itself or in collaboration with other government departments such as the DTI and Home Office should provide a security advisory, alert and warning service to U.K. Internet users. Currently, this information is provided on a best practice basis by the DTI to SMEs and by NISCC to selected critical industries. The telecommunications companies and ISPs are important partners in the provision of such information to consumers but the provision of this information cannot be left to market forces alone. The Finnish, Belgian and Swiss models provide useful examples that can be rapidly adapted for the U.K. market.
By empowering consumers with real information and advice and providing service providers with international benchmarks and standards, OFCOM can contribute significantly to the current Labour government's objective of making the U.K. a world leader in e-business and e-government.
Andrew Rathmell is chief executive officer, Information Assurance Advisory Council. (www.iaac.org.uk).
Disclaimer: IAAC's recommendations do not necessarily represent the views of any of its members or sponsors, whether government or private sector. Strategic interaction with government is through a government liaison panel.