DCMS opens consultation on telecoms cyber standards

The Department for Digital, Culture, Media and Sport (DCMS) has today opened a consultation on new regulations, and a draft code of practice, that will supposedly help communications services providers (CSPs) fulfil the legal duties imposed on them under the Telecommunications (Security) Act that became law in November 2021.

The Act was initially conceived in reaction to the outcry over the assumed cyber security risks associated with the use of Huawei telecoms equipment in the UK’s critical national networks – banned since July 2020 – but also serves to improve general telecoms security standards, and protect citizens and organisations from cyber attacks, whether by cyber criminals or nation states. The government believes this is an even more pressing need given the take-up of 5G mobile and full-fibre broadband services.

Among other things, the Act imposes a stronger legal duty on CSPs to defend their networks from attacks that could either cause their networks to fail, or lead to the loss of sensitive data.

The consultation covers a range of measures and guidance that has been developed alongside the National Cyber Security Centre (NCSC), ultimately with the aim of embedding cyber best practice in both the long-term investment decisions taken by CSPs, and the day-to-day business of running a comms network service.

“Broadband and mobile networks are crucial to life in Britain and that makes them a prime target for cyber criminals,” said digital infrastructure minister Julia Lopez. “Our proposals will embed the highest security standards in our telecoms industry with heavy fines for any companies failing in their duties.”

Ian Levy, technical director of the NCSC, added: “Modern telecoms networks are no longer just critical national infrastructure [CNI], they are central to our lives and our economy. As our dependence on them grows, we need confidence in their security and reliability, which is why I welcome these proposed regulations to fundamentally change the baseline of telecoms security.

“The NCSC has worked closely with DCMS and industry to propose and advise on the most effective measures that telecoms operators can take to ensure the resilience of UK broadband and mobile networks, now and into the future.”

Among other things, the draft regulations will impose the following key duties on CSPs:

• That they protect data stored on their networks and services and secure the critical functions that allow them to be operated and managed.
• That they protect the tools they use for network monitoring and analysis against hostile nation states.
• That they monitor public networks to spot potentially harmful or dangerous activity, and have a deep understanding of their cyber risks, reporting to internal boards on a regular basis.
• That they take account of supply chain risk, and understand and control who is able to access and make changes to how their networks and services operate.

DCMS and the NCSC are also seeking views on a proposal to group CSPs into three tiers under the code of practice, depending on their scale and their importance to the UK’s overall connectivity picture – in practice, this is likely to see tougher expectations placed on BT than on a rural altnet, for example. The government hopes that doing so will ensure the steps to be taken under the code are applied proportionately, and don’t tie up smaller operators with red tape.

It also sets out a proposal to strengthen the overarching legal duties on CSPs as a way of making it more attractive to adopt cyber best practice, on the basis that CSPs have, up to now, had little incentive to do so.

Ultimately, those that fail to comply with the regulations could face fines reaching 10% of their turnover or £100,000 a day if a breach is ongoing. Ofcom, as the national regulator, will be tasked with monitoring and assessing CSP security.

The consultation will be open until 10 May 2022, then, following review and amendments, a final set of regulations and the code of practice will be laid in Parliament as required by the 2003 Communications Act (amended by the Telecommunications (Security) Act), to be introduced later in the year.