Envisaged new rules on cybersecurity – legislative proposal for combating abuses in electronic communication
On 15 June 2022, a proposal for a bill on combating abuses in electronic communication was published on the Government Legislation Centre website. The proposal is intended mainly to combat and counteract cyberthreats such as generation of artificial traffic, smishing, and CLI spoofing. To this end, specific obligations are envisaged under the legislation for telecommunications operators and e-mail providers. Public consultations have been completed and the document is currently undergoing an interdepartmental consultation process.
Aim and main points of the proposal
The aim of the bill on combating abuses in electronic communication is to protect individuals against the increasing number of attacks made using telecommunications services. The Regulatory Impact Assessment states that preventative measures for cases similar to those being addressed in the envisaged legislation have been introduced in the United Kingdom (maintaining a list of numbers from which connections are not initiated) and the United States (tools enabling authentication of connection address details).
Under article 15 of the bill on combating abuses in electronic communication, abuse in electronic communication is provision of a telecommunications service or use of a telecommunications device in a manner for which they are not intended or in an unlawful manner, with the aim of causing or resulting in damage to the telecommunications operator or end user, or gaining an undue benefit. This scope has been partly clarified in article 3, containing an open-ended list of types of breach considered to be abuses described above (generation of artificial traffic, smishing, and CLI spoofing).
To achieve the envisaged goal, lawmakers envisage placing new obligations on certain organizations.
Obligations and the role of CSIRT NASK
CSIRT NASK:
- will be required to monitor abuses in electronic communication,
- is to draw up a sample smishing message,
- is to launch, within three months of the bill being enacted, an IT system that provides samples of those messages, to which the National Police Headquarters, President of the Office of Electronic Communications, and telecommunications operators are connected.
- is to notify persons using the system that a particular sample has been unblocked once the need to block it ceases to exist,
- is to draw up, operate and maintain a publicly accessible list of warnings concerning internet domains used to fraudulently obtain data and funds of internet users.
Under the bill, objections to a message being considered an abuse and placed on the list operated by CSIRT NASK will be reviewed by the President of the Office of Electronic Communications.
Other obligations of e-mail providers
Some e-mail providers (with 500 000 or more users, for state entities or entities that operate 500 000 or more active accounts) will have an obligation to provide special e-mail authentication mechanisms. State entities will also only be allowed to use e-mail provided by an entity that fulfils the requirement described above. Compliance with these obligations can be monitored by the President of the Office of Electronic Communications.
Other obligations of telecommunications operators
Telecommunications operators will be required to:
- take proportionate technical and organizational measures to combat abuses in electronic communication; these can be provided for in an agreement between the President of the Office of Electronic Communications and operators,
- promptly block smishing, based on the sample provided by CSIRT NASK,
- block CLI spoofing connections or where an identification number is concealed from the end user (based on data on the list of numbers maintained by the President of the Office of Electronic Communications).
Penalties
The bill allows the President of the Office of Electronic Communications to fine telecommunications operators and e-mail providers that are in breach of their obligations.
Further proceedings
The bill is now in the opinion phase, while it is clear that many comments were submitted during the public consultations and await review, and thus the future of the legislation is not clear.