Ofcom has provided DSIT's Secretary of State with its first
security report in accordance with section 105Z of the
Communications Act 2003.
Ofcom security report for the
period October 2022 to October 2024
Details
The Telecommunications (Security) Act 2021 amended the
Communications Act 2003 (the Act) to strengthen the security and
resilience of public telecommunications networks and services.
The Act places duties on public telecoms providers to identify
and mitigate security risks, and to prepare for and address any
adverse effects. The Act also contains powers that enable HM
Government to make regulations setting out specific security
measures to be taken by providers, and to make codes of practice
containing technical guidance on the Government's preferred
approach to demonstrating compliance with the duties in the Act
and the requirements within the regulations. The Electronic
Communications (Security) Measures Regulations 2022 and the
associated Telecommunications Security Code of Practice were made
using these powers.
Ofcom is
responsible for monitoring and enforcing public telecoms
providers' compliance with the telecoms security framework under
the Act and Regulations. Under the Act, Ofcom is required to
provide the Secretary of State with security reports. Section
105Z provides that:
A security report must contain such information and advice as
Ofcomconsider may best
serve the purpose” which “is to assist the Secretary of State in
their formulation of policy in relation to the security of public
electronic communications networks and public electronic
communications services.
This is the first of these security reports provided by
Ofcom.
Ofcom security report
findings
The security report for the period October 2022 to October 2024
suggests that:
- Industry is taking threats seriously, and that progress is
being made in securing networks and services.
- Public telecoms providers are demonstrating good engagement
with Ofcom's information
notices, with the majority of providers committing significant
resources to answering Ofcom's queries.
- There is evidence of significant investments to improve
security in line with best practices set out in the Code of
Practice.
-
Ofcom is
taking action where needed. It is actively engaging with public
telecoms providers to address high priority areas requiring
further work. Where it has found compliance breaches with
regard to the resilience of a provider's services, it has used
its enforcement powers. Ofcom has also
published new resilience guidance, setting out measures it
expects providers to take in relation to the availability,
performance and functionality of their networks.
- Whilst it is too early to draw firm conclusions about the
effectiveness of the legislation and the security framework it
introduced, overall indications are broadly positive.
Ofcom
has no specific policy recommendations at this stage.
Next steps
As a result of this initial phase of monitoring, Ofcom explains in the
report that it does not consider that there are any new threats
or technology evolutions that would warrant updates to the
Telecommunications Security Code of Practice at this time.
The Government will continue to assess the effectiveness of the
code of practice on an ongoing basis, and update it if necessary,
for example in response to emerging threats and significant
changes in technology. In addition to Ofcom's advice, these
assessments will be informed by security advice from the National
Cyber Security Centre (NCSC) and evidence from
industry. If the Government proposes any changes, it will consult
affected public telecoms providers, Ofcom, and any other
relevant parties.
