UK government unveils new rules to protect telecoms networks against cyberattacks

From October, firms will be required to protect networks from the threat of cyberattack, with Ofcom able to issue fines for non-compliance of up to 10 percent of turnover

Posted 31 August 2022 by Christine Horton

The UK government has announced tougher security rules for broadband and mobile companies to better protect UK networks from potential cyberattacks.

Currently, telecoms providers are responsible for setting their own security standards in their networks. However, the government’s Telecoms Supply Chain Review found providers often have little incentive to adopt the best security practices.

The Telecommunications (Security) Act became law in November last year and puts stronger legal duties on public telecoms providers to defend their networks from cyber threats which could cause network failure or the theft of sensitive data. 

The new regulations and code of practice, developed with the National Cyber Security Centre (NCSC) and Ofcom, set out specific actions for UK public telecoms providers to adhere to the Act. The goal is to improve the UK’s cyber resilience by embedding good security practices in providers’ investments and the day-to-day running of their networks and services.

Providers will be subject to the new rules from October. Ofcom will oversee, monitor and enforce the new legal duties and have the power to carry out inspections of telecoms firms’ premises and systems to ensure they’re meeting their obligations.

If companies fail to meet their duties, the regulator will be able to issue fines of up to 10 percent of turnover or, in the case of a continuing contravention, £100,000 per day.

Protecting and securing networks

The regulations are to make sure providers protect data processed by their networks and services and secure the critical functions which allow them to be operated and managed.

Telecoms providers will be required to also protect software and equipment which monitor and analyse their networks and services and have a deep understanding of their security risks and be able to identify when anomalous activity is taking place with regular reporting to internal boards.

They must also take account of supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services to enhance security.

 “We know how damaging cyberattacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life,” said Digital Infrastructure Minister Matt Warman.

“We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats.”

The regulations will be laid as secondary legislation in Parliament shortly, alongside a draft code of practice providing guidance on how providers can comply with them. 

Enforcing the new rules

Ofcom will use its new powers to ensure providers are following the guidance within the code of practice. This includes:

  • Identifying and assessing the risk to any ‘edge’ equipment that is directly exposed to potential attackers. This includes radio masts and internet equipment supplied to customers such as Wi-Fi routers and modems which act as entry points to the network
  • Keeping tight control of who can make network-wide changes
  • Protecting against certain malicious signalling coming into the network which could cause outages
  • Having a good understanding of risks facing their networks; and
  • Making sure business processes are supporting security (e.g. proper board accountability).

Providers will be expected to have achieved these outcomes by March 2024. The code of practice will set out further timeframes for completion of other measures. The code will be updated periodically to ensure it keeps pace with any evolving cyber threats.