Government opens public consultation to bolster security of telecom firms
'Our proposals will embed the highest security standards in our telecoms industry with heavy fines for any companies failing in their duties,' says digital infrastructure minister
UK Department for Digital, Culture, Media and Sport (DCMS) has launched a public consultation on the Electronic Communications (Security Measures) Regulations 2022 and a draft code of practice, with the aim of raising cyber security standards for communication service providers (CSPs).
The government says the new laws, currently in draft, will improve the security and resilience of public telecommunication networks and services and help them in carrying out legal obligations imposed by the Telecommunications (Security) Act 2021.
The Telecommunications Act, which became law in November 2021, provided the government with new powers to establish codes of practice and new regulations on cyber security. It included provisions to strip out telecoms vendors considered to be high-risk, such as Huawei, from the UK ' s communication networks.
The government now wants to use that authority to bolster the security of the UK's public telecommunications networks and services.
The Telecommunications (Security) Act 2022 will bring new amendments to the Communications Act 2003 to impose additional obligations on providers of communications networks and services to identify and mitigate the risk of security breaches, as well as prepare in advance for their occurrence.
The public consultation seeks informed views from communication regulator Ofcom, service providers and people with relevant expertise.
Under the proposed laws, telecommunications firms will be legally required to:
- Protect data held by their networks and services, as well as secure the fundamental operations that allow them to be run and controlled.
- Secure the tools they employ for network monitoring and analysis against hostile states
- Monitor public networks for potentially harmful activities and to have a thorough awareness of their security risk, with frequent reporting to internal boards.
- Take account of supply chain risk, as well as understand and manage people who have access to their networks and services functions and can make changes to how networks operate
The consultation also seeks views on the proposal to classify telecommunications providers into three tiers based on their size and relevance to UK connectivity.
According to the government, this mechanism would guarantee that the guiding measures are applied effectively and proportionally based on the type of the provider.
Companies that fail to comply with the guidelines may face fines of up to 10 per cent of their annual revenue or a penalty of £100,000 per day in the case of a continued violation.
The draft code also revealed that the government has also dropped its controversial plan for service providers to monitor and retain internet connection records.
As per the most recent version of the legislation, the 13-month logging obligation only applies to monitoring "security critical functions" of telecom and ISP networks.
"Logs for network equipment in security critical functions shall be fully recorded and made available for audit for 13 months," the draft regulations say. Large ISPs will have until 2025 to implement such logging, while smaller outfits will have a full five years to get themselves up to speed.
Responses to the consultation are due by 11:45 p.m. on May 10, 2022.
"Broadband and mobile networks are crucial to life in Britain and that makes them a prime target for cybercriminals," stated digital infrastructure minister Julia Lopez.
"Our proposals will embed the highest security standards in our telecoms industry with heavy fines for any companies failing in their duties."
Last month, the government also launched a consultation to find out ways to lawfully remove Huawei equipment from its 5G networks by the end of 2027.
Proposals include requesting that full-fibre broadband operators refrain from installing Huawei equipment that is subject to US penalties.
Following a government statement in July 2020, UK telecommunications companies have already moved to withdraw Huawei from the UK's 5G networks.