Strict new rules confirmed to protect UK telecoms networks from cyberattacks


The new telecommunications security regulations will be among the strictest in the world and will provide much stronger protections in the UK against cyber threats that could lead to network failure or the theft of sensitive data.

The Telecommunications (Security) Actwhich came into force in November, gives the government powers to tighten security standards for UK mobile and broadband networks, including electronic equipment and software on telephone towers and in telephone exchanges that handle internet traffic and phone calls.

Currently, telecommunications providers are responsible for setting their own security standards in their networks. However, the review of the government telecommunications supply chain revealed that suppliers often have little incentive to adopt security best practices.

The new regulations and code of practice, developed with the National Cyber ​​Security Center and Ofcom, set out specific actions for UK public telecommunications providers to meet their legal obligations under the law. They will improve the UK’s cyber resilience by integrating good security practices into providers’ long-term investment decisions and the day-to-day operation of their networks and services.

The substance of the final regulation has been confirmed by the government following a response to a public consultation on it published today. The regulations aim to ensure that providers:

  • protect the data processed by their networks and services, and secure the critical functions that enable their operation and management
  • protect the software and equipment that monitors and analyzes their networks and services
  • have a thorough understanding of their security risks and the ability to identify when abnormal activity is taking place with regular reporting to internal boards
  • consider supply chain risks, and understand and control who has the ability to access and modify the operation of their networks and services to enhance security

Digital Infrastructure Minister Matt Warman said:

We know how damaging cyberattacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life.

We are strengthening the protection of these vital networks by introducing one of the strictest telecommunications security regimes in the world, which protects our communications against current and future threats.

NCSC Technical Director Dr Ian Levy said:

We increasingly depend on our telecommunications networks for our daily lives, our economy and the essential services we all use.

These new regulations will ensure that the security and resilience of these networks, and the equipment that underpins them, are fit for the future.

The regulations will soon be tabled as secondary legislation in Parliament, alongside a draft code of practice providing guidance on how providers can comply with them.

Ofcom will oversee, monitor and enforce the new legal obligations and will have the power to carry out inspections of telecommunications companies’ premises and systems to ensure they are complying with their obligations. If companies fail to meet their obligations, the regulator will be able to impose fines of up to 10% of turnover or, in the event of continued breaches, £100,000 per day.

From October, providers will be subject to the new rules and Ofcom will be able to use its new powers to ensure providers take appropriate and proportionate steps to meet their security obligations and follow the guidelines of the code of practice. This includes:

  • identify and assess the risk to any edge equipment directly exposed to potential attackers. This includes cell towers and Internet equipment provided to customers, such as Wi-Fi routers and modems that serve as entry points to the network.
  • Tightly control who can make network-wide changes
  • protect against certain malicious signaling entering the network that could cause outages;
  • have a good understanding of the risks facing their networks
  • ensure operational processes support security (e.g. appropriate board accountability)

Providers must have achieved these results by March 2024. The code of practice will establish additional timelines for the completion of other measures. The code will be updated periodically to ensure it keeps pace with evolving cyber threats.

ENDS

Notes to Editors

The government received responses to the consultation from public telecommunications providers, vendors and trade bodies. The government’s response outlines how these responses were taken into account and reflected in the final version of the regulations and the draft code of practice.

Technical changes as a result of the consultation include:

  • clarification to ensure security measures target the parts of networks most in need of protection, such as new software tools that power 5G networks
  • inclusion of additional guidance on national resiliency, security patches and legacy network protections, to help vendors understand what action to take

The Electronic Communications (Security Measures) Regulations will be tabled in Parliament through a regulatory text under the negative procedure.

The Draft Code of Practice will be tabled in Parliament in accordance with the requirement of Section 105F of the Communications Act 2003 (as amended by the Security of Communications Act 2021). It will remain in draft form for parliamentary consideration for forty sitting days, after which the code of practice will be issued and published.

Previous RJio will deploy 5G by deploying non-standalone technology
Next An Amstrad laptop you've never seen