The government has finalized a series of new cyber security rules and a code of practice for communications service providers (CSPs) that will set out specific steps on how they can meet their new legal obligations under the Telecommunications (Security) Act. which became law in November 2021.
Described by the government as one of the strongest telco security regulations in the world, the legislation is intended to improve security standards across the UK’s critical broadband and mobile networks.
It was the start of the security row that engulfed China’s Huawei, which saw Allegations of state-sponsored espionage Finalization of Westminster’s 2020 decision Prohibit future sales of Huawei equipment in CSP, and will take it out of the UK’s networking infrastructure by 2027.
Among other things, the Act regulates the origination of equipment and software used in phone mast sites and telephone exchanges, and imposes a strong legal duty on CSPs to protect their networks from attacks that could, or would, cause their networks to fail. Loss of sensitive information.
However, CSPs are currently responsible for setting their own security standards, and a 2019 review concluded that they may have Little incentive to adopt best practices.
As a result, new regulations and codes of practice – from which input was drawn up National Cyber Security Center (NCSC) and comms controller Ofcomand was subject to A public consultation – Determine the specific steps CSPs need to take to meet their legal obligations, which will, hopefully, improve network resilience by embedding good security practices in their day-to-day activities and in their future investment decisions.
“We know how damaging a cyber attack can be on critical infrastructure, and our broadband and mobile networks are at the heart of our lives,” said Digital Infrastructure Minister Matt Warman. “We are enhancing protection for these critical networks by introducing one of the world’s toughest telecom security systems that protect our communications against current and future threats.”
NCSC Technical Director Dr Ian Levy added: “We are increasingly dependent on our telecoms networks for our daily lives, our economy and the essential services we all use. These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is fit for the future.”
The regulations will bind the CSP to these activities:
- To protect data processed by their networks and services and to protect important functions that allow them to manage and operate their networks and services.
- To secure software and tools that monitor and analyze their networks and services
- To form a “deeper understanding” of the risks they face and the ability to detect unusual activity supported by regular reporting to their boards.
- Accounting for supply chain risk, and understanding and controlling who has the power to access and make changes to the operation of their networks and services.
The regulations will be overseen, monitored and enforced by Ofcom, which, from October 2022, will have the power to levy fines of up to 10% of turnover or £100,000 for ongoing breaches. These will soon be tabled in Parliament as secondary legislation, alongside a draft code of practice to guide compliance with CSPs.
The government said CSPs would be expected to be fully compliant by March 2024 and committed to updating the code periodically as conditions change.