Tough New Security Rules for Broadband And Mobile Carriers in the UK
The UK government’s Department for Digital, Culture, Media and Sport has proposed new rules to tighten network security against cyberattacks in broadband and mobile carriers.
Amongst The Strongest In The World
The government says that the new regulations and code of practice, developed with the National Cyber Security Centre and Ofcom, will be among the strongest in the world. The hope is that they will provide much tougher protections for the UK from the kind of cyber threats which can cause network failure or the theft of sensitive data.
The new regulations build upon the Telecommunications (Security) Act, which became law in November and details specific actions for UK public telecom providers to fulfil their legal duties in the Act. The new rules follow consultation between 1 March and 10 May 2022 on the draft Electronic Communications (Security Measures) Regulations and a code of practice.
The government says providers will be subject to the new rules from October when Ofcom can start helping providers comply.
NCSC Technical Director Dr Ian Levy said, “We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use” and that “These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them”. Also, Digital Infrastructure Minister Matt Warman said, “We know how damaging cyber-attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life.” For this reason, Mr Warman said, “We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes.”
What Are The New Electronic Communications (Security Measures) Regulations?
The new regulations state that providers must:
– Protect data processed by their networks and services, and secure the critical functions which allow them to be operated and managed.
– Protect software and equipment which monitor and analyse their networks and services.
– Have a deep understanding of their security risks and the ability to identify when anomalous activity is taking place with regular reporting to internal boards.
– Take account of supply chain risks and understand and control who can access and make changes to their networks and services to enhance security.
Some of the measures that providers will have to take to comply will include:
– Identifying and assessing the risk to any ‘edge’ equipment that is directly exposed to potential attackers, e.g. radio masts and internet equipment supplied to customers (Wi-Fi routers and modems which could provide Act as an entry point to the network).
– Keeping tight control of who can make network-wide changes.
– Protecting against certain malicious signalling coming into the network which could cause outages.
– Having a good understanding of risks facing their networks.
– Making certain business processes are supporting security, e.g. proper board accountability.
The government expects providers to have taken these measures by March 2024.
What If They Don’t Comply?
If providers don’t comply, the government says the regulator will be able to issue fines of up to 10 per cent of turnover or, in the case of a continuing contravention, £100,000 per day!
What Does This Mean For Your Business?
Since the Telecommunications (Security) Act came into law in November 2021 and consultation started in March 2022, UK public telecom providers have been expecting more regulations. As the government pointed out, and particularly with the digital transformations during the pandemic, broadband and mobile networks have become vital and central to businesses, the economy, and daily life. Given this importance and the fact that relations with some countries (e.g. Russia and China) are poor, plus there have been many reports of state-sponsored cyber-attacks, it is not surprising that pressure is being applied to tighten security across the board. The huge potential fines are a way to galvanise action. Ultimately, businesses and home users will benefit from tighter security at the provider level. However, it may take until 2024 for the regulator to start getting severe with those who aren’t making enough effort to comply.