The government has finalised a series of new cyber security rules and a code of practice for communications services providers (CSPs) that will set out specific actions on how they can fulfil their new legal obligations under the Telecommunications (Security) Act, which became law in November 2021.
Described by the government as among the strongest telco security regulations in the world, the Act is intended to improve security standards across the UK’s critical broadband and mobile networks.
It has its beginnings in the security row that engulfed China’s Huawei, which saw accusations of state-sponsored spying levelled at the supplier, culminating in Westminster’s 2020 decision to ban the future sale of Huawei equipment to CSPs, and strip it from the UK’s networking infrastructure by 2027.
Among other things, the Act governs the provenance of the equipment and software used at phone mast sites and telephone exchanges, and imposes a stronger legal duty on CSPs to defend their networks from attacks that could either cause their networks to fail, or lead to the loss of sensitive data.
However, CSPs are currently responsible for setting their own security standards, and a 2019 review concluded that they may have little incentive to adopt best practices.
As a result, the new regulations and code of practice – which were developed with input from the National Cyber Security Centre (NCSC) and comms regulator Ofcom, and were subject to a public consultation – set out specific actions that CSPs need to take to fulfil their legal duties, which, it is hoped, will improve network resilience by embedding good security practices in their day-to-day activities and their future investment decisions.
“We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life,” said digital infrastructure minister Matt Warman. “We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats.”
NCSC technical director Dr Ian Levy added: “We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use. These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.”
The regulations will bind CSPs to these actions:
- To protect data processed by their networks and services and secure the critical functions that let them operate and manage their networks and services.
- To protect the software and equipment that monitors and analyses their networks and services.
- To form a “deep understanding” of the risks they face, and the ability to identify anomalous activity, supported by regular reporting to their boards.
- To account for supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services.
The regulations will be overseen, monitored and enforced by Ofcom, which, beginning in October 2022, will have the power to levy fines of up to 10% of turnover, or £100,000 a day in case of an ongoing contravention. They will be laid as secondary legislation in Parliament shortly, alongside the draft code of practice to guide CSPs towards compliance.
The government said CSPs will be expected to be fully compliant by March 2024 and committed to updating the code periodically as circumstances change.