UK telecoms companies face fines of up to 10% of turnover for failing to protect networks against cyber attacks
Up until now telecoms security was governed by the companies themselves - but new powers will be given to communications regulator Ofcom.
New regulation being brought forward by the British Government will see telecoms companies face fines of up to 10% of their turnover - or in the case of a continuing contravention, £100,000 per day - if they don’t comply with a code of practice that aims to protect the nation’s national communications networks from cyber attacks.
The “tough new rules” aim to give the government more power over setting security standards for telecom providers, which currently self-govern their security practices. The threat of large fines and the introduction of the new code of practice, which will be monitored by communications regulator Ofcom, seek to reduce the risk of attack from bad actors seeking to disrupt the UK’s critical infrastructure.
In a response to a 10 week public consultation on the new rules, the government today said:
The UK’s future prosperity rests on the security and resilience of the public electronic communications networks and services that connect us. Yet as technologies evolve, new threats to those networks and services are emerging.
Cyber hackers are now capable of threatening communications worldwide, as the cost barriers to mass-scale disruption continue to fall. Countering state threats is a high priority, with greater competition and aggression in cyberspace by countries such as Russia, China, Iran and North Korea.
Actors may seek to exploit weaknesses in telecoms equipment, network architecture and/or operational practices, in order to compromise security.
The government said that given the UK is increasingly becoming dependent on telecoms to sustain a growing economy and to support society, means that it needs to have confidence in the networks’ security. It added:
Without effective telecoms security, disruption due to cyber attacks will continue to grow, including the potential for connectivity compromises and outages that could be catastrophic.
The Telecommunications (Security) Act, which became law in November last year, underpins the new regulations, as it gave the government powers to boost the security standards of the UK’s mobile and broadband networks, including the electronic equipment and software at phone mast and in telephone exchanges, which handle internet traffic and telephone calls.
A new code of practice
Following the government's Telecoms Supply Chain Review, it found that providers often have little incentive to adopt the best security practices.
The new code of practice, which is developed by both the National Cyber Security Center and Ofcome, aims to provide the telecoms industry with specific actions to fulfil their legal duties. The government says that it will improve the UK’s cyber resilience by “embedding good security practices in providers’ long term investment decisions and the day-to-day running of their networks and services”.
Commenting on the new rules, Digital Infrastructure Minister Matt Warman said:
We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life.
We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats.
As noted above, Ofcom will oversee, monitor and enforce the new legal requirements and have the power to carry out inspections of telecoms firms’ premises and systems to ensure that companies are meeting the standards that have been set out. If the regulator decides that companies are failing to comply, then it will have the power to issue fines of up to 10% of turnover, or in the case of continued failure, £100,000 per day.
The new rules will come into effect in October, at which time Ofcom’s new powers will also come into force. Some of the new guidance within the code of practice includes:
identifying and assessing the risk to any 'edge' equipment that is directly exposed to potential attackers. This includes radio masts and internet equipment supplied to customers such as Wi-Fi routers and modems which act as entry points to the network;
keeping tight control of who can make network-wide changes;
protecting against certain malicious signalling coming into the network which could cause outages;
having a good understanding of risks facing their networks; and
making sure business processes are supporting security (e.g. proper board accountability).
Companies that run the nation’s telecoms networks will be expected to have achieved these outcomes by March 2024. The code of practice will be updated periodically and further timeframes for completion of other measures will soon be laid out, the government said.
National Cyber Security Center Director Dr Ian Levy, said:
NCSC Technical Director Dr Ian Levy said:
We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use.
These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.”