- The UK government has completed a set of new cybersecurity rules and a code of practice for communications service providers (CSPs) to comply with their new legal obligations under the Telecommunications (Security) Act, which became law in November 2021.
- The Act, which the government describes as among the strictest telecom security laws in the world, seeks to improve security measures across all crucial UK mobile and internet networks.
- Starting in October 2022, Ofcom will oversee compliance with the regulations and will have the power to fine violators up to 10% of their annual revenue or £100,000 per day in the instance of a repeated infraction.
- They will soon be presented to Parliament as secondary legislation and the proposed code of practice to guide CSPs toward compliance.
- The government stated that CSPs will be held accountable for being completely compliant by March 2024 and promised to update the code as conditions change periodically.
The U.K. government has finalized several new cyber security regulations and a code of conduct for communications service providers (CSPs) to fulfill their new legal requirements under the Telecommunications (Security) Act, which became law in November 2021.
The Telecommunications (Security) Act is a “tough” measure
The Telecommunications (Security) Act, which the government calls one of the toughest telecom security legislation in the world, aims to raise security standards throughout the vital UK mobile and internet networks.
It all started with the security controversy surrounding China’s Huawei, in which the supplier was accused of engaging in state-sponsored spying. This controversy led to Westminster’s 2020 decision to forbid the company from selling equipment to CSPs going forward and to remove it from the UK’s networking infrastructure by 2027.
The Telecommunications (Security) Act regulates the origin of the hardware and software used at phone mast sites and telephone exchanges, among other things. It places a stricter obligation on CSPs to protect their networks from assaults that could either render them inoperable or result in the loss of sensitive data.
Although CSPs are now in charge of establishing their own security standards, a 2019 evaluation found that they might not have many incentives to do so.
As a result, the new regulations and code of practice, created with input from the National Cyber Security Centre (NCSC) and communications regulator Ofcom and the subject of public consultation, outline the precise actions CSPs must take to fulfill their legal obligations. It is hoped that incorporating sound security procedures into these CSPs’ daily operations and future investment decisions will improve network resilience.
“We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life. We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats,” explained digital infrastructure minister Matt Warman.
“We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use. These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future,” added NCSC technical director Dr. Ian Levy.
The regulations for CSPs mandate the following actions:
- To safeguard the information their networks and services handle and secure the vital processes that enable them to manage and run their networks and services.
- To safeguard the hardware and software their networks and services rely on for monitoring and analysis.
- To develop a “deep understanding” of the dangers they confront, the capacity to spot unusual behavior, and regular reporting to their boards.
- To consider supply chain risks, comprehend and manage who has access to their networks and services, and alter how they are run.
Telecommunications (Security) Act will be supervised, followed, and enforced by Ofcom, which will have the authority to impose fines of up to 10% of turnover, or £100,000 per day in the case of a persistent violation, starting in October 2022. Together with the draft code of practice to direct CSPs toward compliance, they will soon be introduced as secondary legislation in Parliament.
The government said CSPs will be expected to be fully compliant by March 2024 and committed to updating the code periodically as circumstances change.