Government reveals tough new rules for telcos

Ofcom will oversee, monitor and enforce the new legislative responsibilities

Image:
Ofcom will oversee, monitor and enforce the new legislative responsibilities

Service providers currently decide on their own network standards, but lack the incentives to use the best security.

The UK Government has outlined new security regulations for broadband and mobile providers to follow to safeguard their networks against cyber attacks.

The National Cyber Security Centre (NCSC) and communications regulator Ofcom were consulted throughout the development of the new guidelines, which the Government claims are among the toughest telecoms security rules in the world.

The Telecommunications (Security) Act, which went into effect in November, grants the Government the authority to raise the security standards of the UK's mobile and broadband networks. This authority extends to the electronic equipment and software installed at phone mast sites and in telephone exchanges that handle internet traffic and phone calls.

It is currently up to communications service providers (CSPs) to decide on their own network security standards. However, the Government's Telecoms Supply Chain Review concluded that providers often lack incentives to use the best security standards.

As part of the new rules, companies will be required to protect their network operations, as well as the data that passes through their networks and services. They will also need to safeguard any software or hardware used to analyse their networks and services, so they can respond if anything unusual occurs.

The rules further suggest that companies should be aware of the risks that might be posed to their networks; be able to recognise any unusual behaviour; and report to their internal boards frequently.

Last but not least, the Government recommends CSPs take into consideration the risks associated with the supply chains, and restrict who has the authority to access and alter the functioning of networks and services.

"We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life," said Digital Infrastructure Minister Matt Warman.

The rules, as well as a draft code of practise outlining how providers should abide by them, will be soon introduced as secondary legislation in Parliament.

Ofcom will oversee, monitor and enforce the new legislative responsibilities. The regulator will have the authority to conduct inspections of the facilities and IT infrastructure of telecom companies to verify compliance.

Ofcom could impose penalties of up to 10% of turnover or, in the instance of a continuing violation, £100,000 per day if firms fail to fulfil their obligations.

Providers will be subject to the new regulations from October, and providers must have accomplished the stated outcomes by March 2024. Additional deadlines for completing other measures will be outlined in the code of practise.

To ensure that it keeps up with any developing cyber threats, the code will be updated on a regular basis.