New telecoms security regulations will be among the strongest in the world and will provide much tougher protections for the UK from cyber threats, the government has claimed.
The Telecommunications (Security) Act, which became law in November, gives powers to boost the security standards of the UK’s mobile and broadband network.
This includes electronic equipment and software at phone mast sites and in telephone exchanges which handle internet traffic and telephone calls.
The government announcement has been welcomed by industry leaders as it could avoid service providers being hit by “hefty “fines.
Currently, telecoms providers are responsible for setting their own security standards in their networks.
However, the government’s Telecoms Supply Chain Review found providers often have little incentive to adopt the best security practices.
The new regulations and code of practice, developed with the National Cyber Security Centre and Ofcom, set out specific actions for UK public telecoms providers to fulfil their legal duties in the Act.
They will improve the UK’s cyber resilience by embedding good security practices in providers’ long term investment decisions and the day-to-day running of their networks and services.
The substance of the final regulations has been confirmed by the government following a response to a public consultation published on August 30.
The regulations are to make sure providers:
- protect data processed by their networks and services, and secure the critical functions which allow them to be operated and managed
- protect software and equipment which monitor and analyse their networks and services
- have a deep understanding of their security risks and the ability to identify when anomalous activity is taking place with regular reporting to internal boards
- take account of supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services to enhance security
Digital Infrastructure Minister Matt Warman said: “We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life.
“We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats.”
NCSC Technical Director Dr Ian Levy said: “We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use.
“These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.”
The regulations will be laid as secondary legislation in Parliament shortly, alongside a draft code of practice providing guidance on how providers can comply with them.
Ofcom will oversee, monitor and enforce the new legal duties and have the power to carry out inspections of telecoms firms’ premises and systems to ensure they’re meeting their obligations. If companies fail to meet their duties, the regulator will be able to issue fines of up to 10 per cent of turnover or, in the case of a continuing contravention, £100,000 per day.
From October, providers will be subject to the new rules and Ofcom will be able to use its new powers to ensure providers are taking appropriate and proportionate measures to meet their security duties and follow the guidance within the code of practice. This includes:
identifying and assessing the risk to any ‘edge’ equipment that is directly exposed to potential attackers. This includes radio masts and internet equipment supplied to customers such as Wi-Fi routers and modems which act as entry points to the network
keeping tight control of who can make network-wide changes
protecting against certain malicious signalling coming into the network which could cause outages;
having a good understanding of risks facing their networks
making sure business processes are supporting security (e.g. proper board accountability)
Providers will be expected to have achieved these outcomes by March 2024. The code of practice will set out further timeframes for completion of other measures. The code will be updated periodically to ensure it keeps pace with any evolving cyber threats.
Dan Middleton, Vice President UK & Ireland, Veeam Software, said: “The telecoms industry holds hugely sensitive data and is responsible for the, often critical, communication of our economy.
“This is why it’s a welcome move for the DCMS to announce new cybersecurity regulations for the sector, especially as research recently found that 76% UKI businesses suffered at least one ransomware attack in the past year.
“While previously telcos were responsible for their own security standards, these new regulations draw attention to the need for more investment into cybersecurity by telco companies, and gives Ofcom the right to fine those that fail to comply.
“In particular, the DCMS has highlighted the need for better data protection within the industry, stating that it will make sure communications service providers ‘protect data processed by their networks and services.’ One way this can be achieved is by having a full business continuity strategy, which will include resilience measures and backup and disaster recovery plans, to give telcos the ability to recover data and continue their operations as usual in the event that data is breached or encrypted, such as in the event of a ransomware attack.
“Secure, immutable backups are the last line of defence against ransomware, so are increasingly vital as these attacks continue to rise.
“Not only will better protecting their data benefit the customers of telco organisations but, under these new regulations, it will prevent the risk of having to pay hefty fines – 10% of annual revenue or £100,000 per day – for failing to comply. If data is the lifeblood of an organisation, the networks that telcos provide may be considered its circulatory system. It is vital that it remains healthy. As ever, prevention is better than cure. But, should the worst happen to corrupt, stem or cut off a company’s data flow, modern data protection that backs up, recovers and manages vital data, will help them carry on business as usual – and service their customers – even in the event of a cyberattack. As such it needs to be prioritised.”