05 May 2025

In the telecommunications world, there is increasing visibility of and debates around cybersecurity – protecting the networks from digital attacks. Yet there should also be emphasis on the security of the physical infrastructure.

TCCA’s Legal and Regulatory Working Group (LRWG) aims to focus the attention of critical communications providers to the importance of the issue, with the goal of catalysing the creation of a global standard for the physical security of infrastructure supporting critical communications.

Why is this important now? Because most of the current critical communication networks using narrowband technologies such as TETRA, Tetrapol and P25, are owned and operated by the state, and their physical security is assured by the state to the extent deemed necessary. However, the emerging use of commercial mobile operator (MNO) networks to support broadband critical communications, particularly as Radio Access Networks, is changing the operating model.

TCCA describes ’critical communications’ as “communications services that are critical for the successful delivery and completion of the missions, tasks and operations of professional users who rely on being in contact when it counts. There are many and varied types of operations which need critical communications. These include public safety and security, emergency services, critical infrastructure, public utilities, transportation, critical industries and related activities, where failures in critical communications would lead to catastrophic degradation of services. This in turn could place critical services and citizen safety and security at immediate risk.”

Telecommunication infrastructure consists of several elements, including electronic components and passive elements such as physical sites and towers. The physical security of these network elements is of paramount importance, but it is debatable whether the measures that MNOs are currently adopting in this regard are sufficiently robust and fit for purpose.

First responders require critical communications to be reliable, available and stable to a very high degree. Assuring these characteristics would be the responsibility of the state or emergency services when the network is owned, managed and operated by either. However, it becomes complicated when the operating model of the new broadband networks for critical communications rely on MNOs for some or all their functions.

There is no universally agreed definition of what ‘good’ looks like with respect to physical security of infrastructure for critical communications. Different countries may have different ambitions and needs, depending on the evolving threat picture and resources, including finances, available. A new white paper produced by the LRWG aims to stimulate discussions that will ultimately lead to an agreed regulatory baseline that all nations must agree to meet.

The white paper looks at the measures in place in several countries around the world in the context of their approach to broadband critical communications. To create greater cohesion, the paper identifies two potential approaches:

a. impose security obligations through legislation/regulation;
b. rely on provisions in the contract between the critical communications operator and the MNO/infrastructure provider.

The LRWG’s assessment is that while each approach has advantages and disadvantages, a combination of the two would serve the interests of the critical communication services best.
The governmental critical communication networks may obligate MNOs to adopt sufficient measures to ensure the security of the network elements that are used for critical communication by legislation and/or regulation, or by contract with the relevant MNOs. While enforcement of a contract between parties will require legal action, legislation/regulation has the force of law and enforcement is a process between the MNOs and the respective regulator.

The main difference between the two options is under regulations, enforcement is primarily in the hands of the regulator with legislated sanctions while under contract, it is the right and the responsibility of the governmental critical communications provider with restitution being primarily damages or specific performance.

With legislation/regulation there will be a baseline that all MNOs would be obligated to meet and other interested parties would be aware of, including principles for cost-ceiling and cost sharing between the MNOs and the critical communication operator. This would enable MNOs to make better informed decisions, particularly when bidding to provide services for critical communications. Compliance with the requirements would be a statutory obligation, which would be easier to harmonise across jurisdictions, making way for multi-state standards.

On the other hand, legislation/regulation need to be carefully crafted in order to make the obligations proportionate as the scale of MNOs’ engagement may vary. Addressing developments in technology or the market may be more complicated as it will require legislative amendments. Since the regulator will be the enforcing authority, the critical communication operator may have limited access to information on MNOs’ compliance, unless access to that information is specifically granted through the legislation/regulation.

Contractual arrangements would make it easier to design individualised and proportionate obligations, and to update the contractual provisions in line with developments in technology and the market. However, it would take time, effort and expertise to negotiate standards of security with the MNO acceptable to the critical communications operator, particularly if there is no legally set minimum standard. It would also be challenging to monitor compliance by the MNO and would require specific contractual provisions that empower the critical communications operator.

Though new legal/regulatory obligations on physical security may increase the costs and burden of compliances for MNOs/infrastructure providers, it would have a salutary effect due to the improved security and resilience of the network, which is being increasingly sought by consumers, particularly business customers.
The white paper ‘Legal and Regulatory aspects relating to the physical security of telecommunications infrastructure used for critical communication services’ can be read here