We’ll drop SBOMs on UK.gov to solve Telecoms Security Bill’s technical demands, beams Cisco • The Register

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

Britain’s Telecoms Security Bill will be accompanied by a detailed code of practice containing 70 specific security requirements for telcos and their suppliers to meet, The Register can reveal.

The Telecom Security Bill (TSB), which is near the end of its journey through Parliament, has been rather unpopular with some ISPs who have previously complained about the high cost of compliance.

Introduced as part of 2019-20’s “ban Huawei immediately” panic, the bill includes provision for £100k-a-day fines.

Now El Reg can reveal more about the detailed requirements due to be imposed on the industry, thanks to Cisco publishing a detailed paper [PDF] explaining how it already complies with UK.gov and National Cyber Security Centre requirements. That paper is a response to a document called the Vendor Annex, an NCSC-authored technical bolt-on to the main bill.

“We expect that the way it will work is there will be some expectation that the operators will be obliged to do much more scrutiny when they go through their procurement exercises with telco vendors,” Cisco’s UK&I national cybersecurity advisor, Mark Jackson, told The Register.

Jackson added that many of the requirements in the bill and the Vendor Annex could be satisfied through provision of a software bill of materials (SBOM), though that specific term isn’t mentioned. SBOMs as a security management concept have come in for some criticism recently because they could create the illusion that picking (for example) one specific software library and saying “job done, it’s secure” doesn’t set the expectation that the library will need updating in future.

This kind of problem was endemic in Huawei’s mobile network equipment firmware, as NCSC’s Huawei examination cell revealed in 2019. The Chinese firm was, among other things, using “70 full copies of 4 different OpenSSL versions” which contained 10 “publicly disclosed” vulns, some “dating back to 2006”.

Referring to the…