- New regulations and code proposed to raise telecoms security
standards
- Will set out what telecoms providers must do to protect their
networks and services
- Public consultation launched today on the proposals
Mobile and broadband networks will be better protected from cyber
attacks under stronger security rules for telecoms companies
proposed by the government.
The Telecommunications (Security)
Act became law in November last year and puts much stronger
legal duties on public telecoms providers to defend their
networks from cyber threats which could cause network failure or
the theft of sensitive data.
The government has today launched a public consultation on draft
regulations, which outline the specific measures telecoms
providers would need to take to fulfil their legal duties under
the Act, and a draft code of practice on how providers can comply
with the regulations.
The proposed measures and guidance, developed with the National
Cyber Security Centre, aim to embed good security practices in
providers’ long term investment decisions and the day-to-day
running of their networks and services.
Under the draft regulations telecoms providers will be legally
required to:
- protect data stored by their networks and services, and
secure the critical functions which allow them to be operated and
managed;
- protect tools which monitor and analyse their networks and
services against access from hostile state actors;
- monitor public networks to identify potentially dangerous
activity and have a deep understanding of their security risks,
reporting regularly to internal boards; and
- take account of supply chain risks, and understand and
control who has the ability to access and make changes to the
operation of their networks and services.
Digital Infrastructure Minister said:
Broadband and mobile networks are crucial to life in Britain and
that makes them a prime target for cyber criminals.
Our proposals will embed the highest security standards in our
telecoms industry with heavy fines for any companies failing in
their duties.
The consultation seeks views on plans to place telecoms providers
into three ‘tiers’ via a new code of practice according to size
and importance to UK connectivity. This will ensure steps to be
taken under the code are applied proportionately and do not put
an undue burden on smaller companies.
Currently, telecoms providers are responsible by law for setting
their own security standards in their networks. But the Telecoms Supply Chain
Reviewcarried out by the government found providers often
have little incentive to adopt the best security practices.
To deliver the revolutionary economic and social benefits of 5G
and gigabit-capable broadband connections, the government created
the Telecommunications (Security) Act to strengthen the
overarching legal duties on providers of UK public telecoms
networks and services as a way of incentivising better security
practices.
Companies which fail to comply could face fines of up to ten per
cent of turnover or, in the case of a continuing contravention,
£100,000 per day. Ofcom will monitor and assess the security of
telecoms providers.
NCSC Technical Director Dr said:
Modern telecoms networks are no longer just critical national
infrastructure, they are central to our lives and our economy.
As our dependence on them grows, we need confidence in their
security and reliability which is why I welcome these proposed
regulations to fundamentally change the baseline of telecoms
security.
The NCSC has worked closely with DCMS and industry to propose and
advise on the most effective measures that telecoms operators can
take to ensure the resilience of UK broadband and mobile
networks, now and into the future.
ENDS
Notes to editors
As part of the consultation, the government is particularly
interested in feedback on:
- the specific measures set out in the draft regulations and
draft code of practice;
- the proposed tiering system set out in the draft code of
practice, which is intended to ensure it is implemented
appropriately and proportionately;
- the proposed timescales to phase-in new measures in the draft
code of practice; and
- the ways in which the draft code of practice and the draft
regulations account for older, legacy equipment that is due to be
phased out.
The consultation on the draft code of practice meets the
requirement under section 105F in the Communications Act 2003 (as
amended by the Telecommunications (Security) Act 2021) to consult
with affected parties on the draft code of practice. The
Government has chosen to consult on the draft regulations at the
same time. This does not necessarily mean that future decisions
to make, or vary, the regulations will be subject to similar
consultation.
The Government will consider responses to the consultation to
inform final policy decisions on the regulations and code of
practice. The final regulations and the final code of practice
will be laid in Parliament, as required by the Communications Act
2003 (as amended by the Telecommunications (Security) Act 2021).
The consultation will close on 10 May. The new regulations and
code of practice are expected to come into force later this year.
