The UK’s network operators are now compelled to implement tough new security rules imposed by the government on pain of massive fines.
As if the UK government didn’t already have enough power it passed the Telecommunications Security Act last November and has wasted little time in making use of it. New regulations developed with the National Cyber Security Centre and Ofcom set out specific actions for UK public telecoms providers to fulfil their legal duties in the Act. Ofcom has been given the power to fine them up to 10% of their turnover if they fail to comply with sufficient zeal.
“We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life,” said Digital Infrastructure Minister Matt Warman. “We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats.”
Network operators can’t be trusted with their own security, apparently, so the government and Ofcom feel compelled to step in and force them to do the right thing. The government’s Telecoms Supply Chain Review apparently found providers often have little incentive to adopt the best security practices. It would be interesting to know whether the security chiefs at those companies agree. Here are some more specifics on how they can mend their insecure ways:
- Protect data processed by their networks and services, and secure the critical functions which allow them to be operated and managed;
- Protect software and equipment which monitor and analyse their networks and services;
- Have a deep understanding of their security risks and the ability to identify when anomalous activity is taking place with regular reporting to internal boards; and
- Take account of supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services to enhance security.
If, as the new rules imply, those things aren’t already being done, then that is a major cause for concern. What seems more likely, however, is that operators are already doing a solid job on securing their networks and that these new rules serve mainly to demonstrate how much the state is doing to protect its quivering subjects from cyber baddies.
Communications regulator Ofcom has once more been picked to police the rules, armed with the threat of disproportionate fines for non-compliance. The rules kick-in this October and providers have to demonstrate compliance by March 2024, or else.