Following the introduction of the Telecommunications (Security) Act in November last year, the Department for Digital, Culture, Media and Sport (DCMS) has launched a public consultation on draft regulations for cyber security rules outlining the specific measures telecoms providers would need to take to fulfil their legal duties under the Act.
The proposed measures and guidance, developed with the National Cyber Security Centre, aim to embed good security practices in providers’ long term investment decisions and the day-to-day running of their networks and services.
Digital Infrastructure Minister Julia Lopez said: “Broadband and mobile networks are crucial to life in Britain and that makes them a prime target for cyber criminals. Our proposals will embed the highest security standards in our telecoms industry with heavy fines for any companies failing in their duties.”
Draft cyber regulations for telecoms
Under the draft regulations telecoms providers will be legally required to: protect data stored by their networks and services, and secure the critical functions which allow them to be operated and managed; protect tools that monitor and analyse their networks and services against access from hostile state actors; monitor public networks to identify potentially dangerous activity and have a deep understanding of their security risks, reporting regularly to internal boards; and take account of supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services.
NCSC Technical Director Dr Ian Levy said: “Modern telecoms networks are no longer just critical national infrastructure, they are central to our lives and our economy.
“As our dependence on them grows, we need confidence in their security and reliability which is why I welcome these proposed regulations to fundamentally change the baseline of telecoms security.
“The NCSC has worked closely with DCMS and industry to propose and advise on the most effective measures that telecoms operators can take to ensure the resilience of UK broadband and mobile networks, now and into the future.”
Ensuring the security and day-to-day runnings of telecoms
The consultation seeks views on plans to place telecoms providers into three ‘tiers’ via a new code of practice according to size and importance to UK connectivity. This will ensure steps to be taken under the code are applied proportionately and do not put an undue burden on smaller companies.
To deliver the revolutionary economic and social benefits of 5G and gigabit-capable broadband connections, the government created the Telecommunications (Security) Act to strengthen the overarching legal duties on providers of UK public telecoms networks and services as a way of incentivising better security practices.
Companies that fail to comply could face fines of up to 10% of turnover or, in the case of a continuing contravention, £100,000 per day. Ofcom will monitor and assess the security of telecoms providers.
The consultation will be open until 10 May 2022, then, following review and amendments, a final set of regulations and the code of practice will be laid in Parliament as required by the 2003 Communications Act (amended by the Telecommunications (Security) Act), to be introduced later in the year.