UK government launches public consultation on raising telecoms security standards

The UK government has launched a public consultation period over new laws to raise telecoms cybersecurity standards. The aim is to enable mobile and broadband networks to better defend themselves against cyberattacks and put in place regulations and a code of practice that embed good security practices in providers’ long term investment decisions and the day-to-day running of their networks and services.

Telecommunications (Security) Act raises security standards of telecoms sector

The Telecommunications (Security) Act became law in November last year and puts strong legal duties on public telecoms providers to defend their networks from cyberthreats which could cause failure or the theft of sensitive data. The government’s public consultation has invited industry input on draft regulations and codes of practice which outline the specific measures telecoms providers need to take to fulfil their legal duties under the Act and how providers can comply.

Under the regulations currently proposed, telecoms providers will be legally required to protect data stored by their networks and services, and secure the critical functions which allow them to be operated and managed; protect tools which monitor and analyse their networks and services against access from hostile state actors; monitor public networks to identify potentially dangerous activity and have a deep understanding of their security risks, reporting regularly to internal boards; and take account of supply chain risks, and understand and control who can access and make changes to the operation of their networks and services.

In its consultation, the UK government is particularly seeking feedback on the following issues:

• The specific measures set out in the draft regulations and code of practice
• The proposed tiering system set out in the draft code of practice, which is intended to ensure it is implemented appropriately and proportionately
• The proposed timescales to phase-in new measures
• The ways in which the draft code of practice and the draft regulations account for older, legacy equipment that is due to be phased out

The UK government will use responses to the consultation, open until May 10, to inform its final policy decisions, which are due to come into force later this year.

Securing modern telecoms networks central to lives and economy

Commenting on the news, technical director of the UK’s National Cyber Security Centre (NCSC) Dr. Ian Levy said modern telecoms networks are no longer just critical national infrastructure, they are central to our lives and economy. “As our dependence on them grows, we need confidence in their security and reliability which is why I welcome these proposed regulations to fundamentally change the baseline of telecoms security.”

The NCSC has worked closely with DCMS and industry to propose and advise on the most effective measures that telecoms operators can take to ensure the resilience of UK broadband and mobile networks, now and into the future, Levy added. These include potential fines of up to 10% of turnover for companies that fail to comply, or in the case of a continuing contravention, £100,000 per day.

“Broadband and mobile networks are crucial to life in Britain and that makes them a prime target for cybercriminals,” stated digital infrastructure minister Julia Lopez. “Our proposals will embed the highest security standards in our telecoms industry with heavy fines for any companies failing in their duties.”