Government seeks proposals on how to bolster telecommunication firms in UK
The UK Department for Digital, Culture, Media and Sport (DCMS) has initiated public consultations on the Electronic Communications (Security Measures) Regulations 2022 and a draft code of practice, to raise cyber security standards for communication service providers (CSPs).
‘Our proposals will embed the highest security standards in our telecoms industry with heavy fines for any companies failing in their duties,’
Digital Infrastructure Minister
The new laws are currently being drafted, and the government says they will improve the security and resilience of public telecommunication networks and services and aid them in carrying out legal obligations imposed by the Telecommunications (Security) Act 2021.
The Telecommunications Act became law in November 2021 and furnished the government with new powers to establish codes of practice and new regulations on cyber security. It includes plans to strip out ‘high-risk’ telecoms vendors, such as Huawei, from the UK’s communication networks.
Now, the government aims to use that authority to strengthen the security of the UK’s public telecommunications networks and services.
The Telecommunications (Security) Act 2022 will amend and expand upon the Communications Act 2003 to impose addition obligations upon providers of communications networks and services to identify and mitigate the risk of security breaches, as well as prepare in advance for their occurrence.
The government is seeking informed views from communication regulator Ofcom, service providers and people with relevant expertise in order to enact its public consultation.
Under the proposed laws, telecommunications firms will be legally required to:
- Protect data held by their networks and services, as well as secure the fundamental operations that allow them to be run and controlled.
- Secure the tools they employ for network monitoring and analysis against hostile states
- Monitor public networks for potentially harmful activities and to have a thorough awareness of their security risk, with frequent reporting to internal boards.
- Take account of supply chain risk, as well as understand and manage people who have access to their networks and services functions and can make changes to how networks operate
The consultation also seeks views on the proposal to classify telecommunications providers inro three tiers based on their size and relevance to UK connectivity.
According to the government, this method will guarantee that guiding measures are applied effectively and proportionally based on the type of provider.
Companies that have failed to comply with guidelines could be handed fines of up to 10 percent of their annual revenue, or a penalty of £100,000 per day if there are continual violations happening.
The draft code also shows that the government has scrapped plans for service providers to monitor and retain internet connection records.
The most recent version of the legislation outlines that the 13th-month logging obligation only applies to monitoring ‘security critical functions’ of telecom and ISP networks
“Logs for network equipment in security critical functions shall be fully recorded and made available for audit for 13 months,”
There is a deadline for ISPs to work to, with large ISPs having until 2025 to implement such logging, and smaller companies will have years to get everything in order.
Responses to the consultation are due by 11:45 p.m. on May 10, 2022.
“Broadband and mobile networks are crucial to life in Britain and that makes them a prime target for cybercriminals,”
“Our proposals will embed the highest security standards in our telecoms industry with heavy fines for any companies failing in their duties.”
Digital Infrastructure Minister, Julia Lopez
The government also launched consultations to find out how to lawfully remove Huawei equipment from its 5G networks by the end of 2027.
These include proposals that request full fibre broadband operators to refrain from installing Huawei equipment that is subject to US penalties.
UK telecommunications companies have already been withdrawing Huawei from the UK’s 5G networks, all following a government statement from July 2020.