The UK government’s Department for Digital, Culture, Media and Sport has proposed a new set of rules to tighten up network security against cyberattacks in broadband and mobile carriers.
Amongst The Strongest In The World
The government says that the new regulations and code of practice, developed with the National Cyber Security Centre and Ofcom, will be among the strongest in the world. The hope is that they will provide much tougher protections for the UK from the kind of cyber threats which can cause network failure or the theft of sensitive data.
The new regulations build upon the Telecommunications (Security) Act, which became law in November and detail specific actions for UK public telecoms providers to fulfil their legal duties in the Act. The new rules follow a consultation between 1 March and 10 May 2022 on the draft Electronic Communications (Security Measures) Regulations and a draft code of practice.
The government says providers will be subject to the new rules from October from which time Ofcom will be able to start helping providers to comply.
NCSC Technical Director Dr Ian Levy said, “We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use” and that “These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them”.
Also, Digital Infrastructure Minister Matt Warman said “We know how damaging cyber-attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life.” For this reason, Mr Warman said, “We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes.”
What Are The New Electronic Communications (Security Measures) Regulations?
The new regulations state that providers must:
- Protect data processed by their networks and services, and secure the critical functions which allow them to be operated and managed.
- Protect software and equipment which monitor and analyse their networks and services.
- Have a deep understanding of their security risks and the ability to identify when anomalous activity is taking place with regular reporting to internal boards.
- Take account of supply chain risks and understand and control who has the ability to access and make changes to the operation of their networks and services to enhance security.
Some of the measures that providers will have to take to comply will include:
- Identifying and assessing the risk to any ‘edge’ equipment that is directly exposed to potential attackers, e.g. radio masts and internet equipment supplied to customers (Wi-Fi routers and modems which could provide an act as entry point to the network).
- Keeping tight control of who can make network-wide changes.
- Protecting against certain malicious signalling coming into the network which could cause outages.
- Having a good understanding of risks facing their networks.
- Making sure business processes are supporting security, e.g. proper board accountability.
The government says that it expects providers to have taken these measures by March 2024.
What If They Don’t Comply?
If providers don’t comply, the government says the regulator will be able to issue fines of up to 10 per cent of turnover or, in the case of a continuing contravention, £100,000 per day!
What Does This Mean For Your Business?
Since the Telecommunications (Security) Act came into law in November 2021 and a consultation stated in March 2022, UK public telecoms providers have been expecting more regulations. As the government pointed out, and particularly with the digital transformations during the pandemic, broadband and mobile networks have become vital and central to the businesses, the economy, and daily life.
Given this importance and the fact that relations with some countries (e.g. Russia and China) are poor, plus there have been many reports of state-sponsored cyber-attacks, it is not surprising that pressure is being applied to tighten security across the board. The huge potential fines are a way to galvanize action. Ultimately, businesses and home users will benefit from tighter security at provider level, although it may take until 2024 for the regulator to start getting serious with those who aren’t making enough effort to comply.
By Mike Knight