Strict new security laws are hitting the telecoms industry
The last few years have seen a much greater focus on the cyber threat posed to critical national infrastructure (CNI) - those systems that underpin our society and economy. The threat has rapidly increased as geopolitical tensions mount and systems become more digitised, becoming more vulnerable to malign cyber activity.
The telecoms industry’s focus on connectivity means it has been exposed to cyber threats for longer than many other sectors. An assessment by the National Cyber Security Centre (NCSC) highlighted critical threats such as the disruption of networks to interrupt supply to UK businesses and consumers, and espionage action to acquire or modify data within the UK’s networks. In response to the rising threat, the UK Government recently announced strict new regulations which come into effect in October 2022. The new Telecoms Security Requirements, under the Telecoms Security Act, propose a range of new measures, with the threat of steep fines for non- compliance.
So what does the new regulation mean for UK telcos – and will it make a difference in improving the UK’s security against cyber threats? What are the new security requirements facing telcos?
The regulation means that telecoms providers will be subject to a number of new requirements aimed at ensuring networks are properly defended against attacks that could either cause network failures or compromise sensitive data. Ofcom is overseeing and enforcing the new legal duties, and the telecoms regulator has been granted the power to inspect telecoms facilities to ensure compliance. Non-compliance could be met with fines of up to 10 percent of the firm’s turnover.
Continued contravention of the regulation could result in fines of £100,000 per day - a powerful incentive for the industry to take this seriously. The requirements cover a wide variety of areas, with a focus on better visibility and control of telecoms infrastructure. Firms will be required to demonstrate a solid understanding of their risk exposure and step up their provisions to ensure they have robust processes in place to prevent, detect and respond to any threats. Change processes are of particular importance, with an emphasis on maintaining strong control over how network-wide changes such as configuration and policy alterations can be made.
Providers will also need to regularly assess the risk to any ‘edge’ equipment such as radio masts and customer equipment like Wi-Fi routers and modems that can be exploited as entry points to the wider network. Protection against malicious signalling that can result in outages will also be a priority. Telcos will have until March 2024 to achieve these outcomes.
A new regulation with teeth
The real value in government-led regulations is how they are designed and implemented. In many cases, they can end up as a mere tick-box exercise, handing organisations a list of requirements that they must meet to achieve compliance. This often leads to lacklustre results, as many firms will focus on reaching the required standard, rather than planning or making decisions based on the impact to their security level for example, purchasing the lowest cost, off-the-shelf option even if it’s a bad fit for their actual needs. The most effective regulations tend to be outcome-based, requiring firms to demonstrate positive changes to their security status so that updates to tools and processes are a means to an end, rather than the goal themselves. That said, this type of regulation is generally more challenging to apply and enforce as it will be much more subjective. There is a risk of all organisations appearing to be compliant right up until they suffer a breach.
The Telecommunications Security Act appears to be leaning more towards the outcome-based approach, with an emphasis on proven security capabilities rather than a checklist to tick off. The power invested in Ofcom to carry out site inspections may also help to ensure that firms are compliant before a breach occurs.
The level of fines involved gives the regulation real teeth and may help to make a difference in improving security. We’ve seen repeatedly that many of the results of data breaches, such as lost business and reputational damage, are fleeting at best. Shares tend to bounce back and customers often have short memories. Telcos also have a more assured customer base than most, as many businesses and individuals will have limited options for switching to other providers.
In a similar vein, telecoms providers were previously responsible for setting their own security standards in their networks. However, the government’s Telecoms Supply Chain Review found providers often had little incentive to adopt the best security practices.
What are the compliance priorities for telcos?
The new regulations place a real emphasis on the visibility and understanding of risk. However, this has always been a somewhat nebulous topic that is difficult to accurately measure, assess, and prioritise. Regulating risk management can also be a difficult process as risk levels will be highly subjective for each organisation, dependent on their unique infrastructure and environment. It appears that the best way for telcos to ensure compliance with the new laws is to demonstrate that they have the right processes and technical capabilities in place for key areas like monitoring, security network access and change management. Crucially, they must be able to prove that any measures they put in place are driven by a real, contextual understanding of security risks.
Change management, for example, is incredibly important as unauthorised changes to the system by a malicious actor could cripple the network and cause a service blackout. But telcos will also need to account for the fact that all changes equate to risk, even planned ones. Telecoms networks are large and complex and system changes can inadvertently cause a cascade of unintended consequences. Telcos will need to ensure that they can not only lock down who can initiate system changes, but also that they are able to accurately assess the impact of any planned alterations or additions.
Much like real-time network monitoring, an automated approach to policy-based network management will be essential as tasks like this have become too resource intensive to complete. This will become ever-more important as providers expand their infrastructure to accommodate the booming 5G market. The ability to accurately assess, quantify and mitigate risk will be the most valuable asset for telecoms providers to achieve compliance with these strict new regulations.
Telcos will need granular visibility into all of their networks, cloud services and assets, as well as their related security controls. A high degree of automation will help limit and mitigate the risk of manual misconfigurations and errors. The ideal outcome is to achieve reliable, consistent network security right across a hybrid enterprise infrastructure, all powered by one solution that has been designed specifically for both cloud and network security teams. Meeting these requirements will help telcos to stay compliant and make a demonstrable difference to the resilience and security of the UK telecoms infrastructure.
