Until now, telecom providers in the UK have been responsible for their own security protocols and measures. Yet, as the UK government points out on its website, much of the country is reliant on these networks for personal use, to conduct business, and access public services.
In recent years, UK citizens, businesses, and public services have been plagued by increasingly targeted and sophisticated cyber attacks. It’s unclear how many of these attacks target telecom providers or their users. The authorities felt the threat was significant enough, though, to introduce a strict new act that will impose rigid cybersecurity rules on telecom providers’ operations.
The UK government proposed a new act to strengthen telecom providers’ security practices after a supply chain review found providers often have little financial incentive to adopt good security practices.
Introducing the Telecommunications (Security) Act 2021
The UK government recently published the final amendments to the draft for the Telecommunications (Security) Act 2021 after finishing a public consultation round. The framework will add an unparalleled level of strict new rules to improve the security of telecommunications providers across the UK.
The Telecommunications (Security) Act will come into effect in October 2022, and will be one of the strictest regulations of its kind in the world. It amends the previous Communications Act 2003 by adding new provisions and it gives the government the power to make new regulations to place specific security obligations on public telecom networks and services providers. The bill also lets the government issue new codes of practice to guide providers on how to meet these obligations.
These regulations touch on various aspects of telecom providers’ systems, including user data, the company’s software and equipment, and supply chains. Providers will also have to focus on risk assessment and anomaly detection.
The Act’s final amendments include a number of expectations that telecom providers need to implement by March 2024, while other measures need to be completed at a later date:
- Identify and assess potential risks to “edge” equipment that is directly exposed to potential attackers. That includes radio masts and internet equipment supplied to customers such as Wi-Fi routers and modems.
- Tighten control over who can make network-wide changes.
- Protect against certain malicious signaling coming into the network which could cause outages.
- Have a good understanding of the risks facing their networks.
- Make sure business processes are supporting security (like proper board accountability).
Ofcom, the UK’s communications regulator, can inspect telecom firms’ premises and systems to ensure they meet these obligations. If it finds a telecom provider is failing to meet these requirements, the regulator can fine the provider up to 10% of turnover or, in the case of a continuing contravention, £100,000 ($116,000) per day.
While the UK government’s plan to strengthen telecom providers’ networks to “improve national resilience” will hopefully work to prevent some forms of cyber attacks, people and services across the country are still at risk.
Cyber Attacks Will Continue to be a Problem for the UK
Telecom providers need to have stricter security practices as they process a lot of personal data, including people’s online activities, which can include online banking information. Yet they aren’t the only avenue of attack for cybercriminals. Cyber attacks come in many different forms and can target devices, people, networks, or systems.
If UK citizens and businesses truly want to improve their security, they’ll need to implement a holistic approach that secures all of these areas. That includes improving digital literacy, following basic cybersecurity principles, using a VPN to protect their network connections, and assessing their own systems to see where they are at risk and can bump up security practices.
The UK government’s focus on strengthening telecom providers’ security is a good step in the right direction, but more action is needed to improve the overall cybersecurity in the country.