UK telecom companies face fines of up to 10% of their turnover if they don’t follow industry best practice when it comes to protecting networks from cyberattacks under tough new government rules set to be introduced in October.
“The new telecoms security regulations will be among the strongest in the world,” according to a Department for Digital, Culture, Media and Sport (DCMS) announcement today, which says they will provide tougher protections for the UK from cyber threats which could cause network failure or the theft of sensitive data.
Part of the Telecommunications (Security) Act, the new regulations give the government power to set security standards for mobile and broadband networks. This covers both hardware and software at mast sites and in telephone exchanges that handle internet traffic as well as phone calls.
Under current legislation, telecom companies are self-regulating when it comes to security standards in their network, but the recent Telecoms Supply Chain Review found that providers had little incentive to adopt best practices when it comes to cybersecurity.
The new regulations include a code of practice that was developed by the National Cyber Security Centre (NCSC) and Ofcom to set out specific actions operators are expected to carry out to ensure they are compliant and fulfilling their legal duties under the act.
UK telecom security laws: increased network resilience
A government spokesperson says the legislation “will improve the UK’s cyber resilience by embedding good security practices in providers’ long term investment decisions and the day-to-day running of their networks and services”.
As well as a requirement to protect any data processed on the network, both mobile and fixed line companies will also be expected to secure the critical functions of a network, which allows them to be operated and managed, protect software and equipment that monitor and analyse the network and have a deep understanding of security risks.
On the last point the company also has to be able to identify when anomalous activity is taking place and be able to report it, as well as take account of supply chain risks and make changes to the operation of their networks and services to enhance security.
Digital Infrastructure Minister Matt Warman said a cyberattack on critical infrastructure can be damaging and “our broadband and mobile networks are central to our way of life”.
Warman added: “We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats.”
UK telecom companies could face huge fines
Ofcom will be responsible for overseeing and enforcing the new code of conduct and will have the power to carry out inspections of premises and systems to ensure they are compliant. If a company fails to meet the standards a fine can be issued of up to 10% of its turnover.
In the case of a continuing contravention of the legislation companies could face a fine of up to £100,000 per day until the problem is resolved.
Operators are expected to identify and assess the risk to any “edge” equipment directly exposed to potential attackers, including radio masts and internet equipment supplied to customers including modems and wifi routers.
To be compliant they will also need to keep tight control over who can make any network-wide changes and protect against malicious signalling coming into the network that could lead to outages.
There are company wide commitments as well, including making sure business processes are supporting security including through appropriate board level responsibility.
While the legislation comes into force in October, providers will have until March 2024 to ensure they have achieved all of the above targets. Once that is in place there will then be further timeframes for other future measures to protect network infrastructure.
Dr Ian Levy, technical director at the NCSC, added: “These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.”