» ISP News, Key Developments » 

Gov Consults on New UK Telecoms and Internet Security Code UPDATE

Tuesday, March 1st, 2022 (4:19 pm) - Score 1,224
Internet and UK Telecoms Security Picture

The UK Government has today begun to consult on draft regulations for their new Telecommunications (Security) Act which, aside from banning Huawei inside 5G mobile networks (and restricting their involvement with FTTP broadband), will also impose a cacophony of tedious new security rules on telecoms operators.

The TSA became law in November 2021 (full summary) and imposes stronger legal duties on public telecoms providers to defend their networks from cyber threats, which could cause network failure or the theft of sensitive data. Few could disagree with such desires, although politicians – who tend not to fully understand how these networks work in the real-world – are often awful at getting such rules right.

The above is a concern because the new framework hands significant new powers to the Government and Ofcom, enabling them to intervene in how telecommunications companies run their business, manage supply chains, design and even operate networks. Fines of up to 10% of turnover or £100,000 a day will be issued against those that fail to meet the required standards, which would be a particularly big burden for smaller players.

The good news is this consultation seeks views on plans to place telecoms providers into three “tiers” under the new Code of Practice (CoP), which will be filtered according to size and importance to UK connectivity. The purpose here, we’re told, is to “ensure steps to be taken under the code are applied proportionately and do not put an undue burden on smaller companies.” But we’ll come back to this later.

Telecoms providers will be legally required to:

➤ Protect data stored by their networks and services, and secure the critical functions which allow them to be operated and managed;

➤ Protect tools which monitor and analyse their networks and services against access from hostile state actors;

➤ Monitor public networks to identify potentially dangerous activity and have a deep understanding of their security risks, reporting regularly to internal boards; and

➤ Take account of supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services.

However, practically applying such rules to hugely complex national telecommunications networks, with global connectivity and supply chains to consider, will not be so easy (i.e. modern software, internet services and hardware is all produced with bits and pieces, as well as connectivity, from across the world). The code will thus need to have some flexibility in order to avoid it stifling innovation

Julia Lopez, UK Digital Infrastructure Minister, said:

“Broadband and mobile networks are crucial to life in Britain and that makes them a prime target for cyber criminals.

Our proposals will embed the highest security standards in our telecoms industry with heavy fines for any companies failing in their duties.”

The consultation will remain open until 10th May 2022 and after that the final regulations and the final CoP will be laid in Parliament. Assuming all goes to plan, then both are expected to be enforced from sometime “later this year.”

In terms of that tier system, the government essentially proposes allocating providers into three tiers with different compliance expectations and levels of Ofcom oversight for each tier.

The Three Tiers

➤ Tier 1 providers would be the largest organisations providing public networks and services for which a security compromise would have the most widespread impact on network and service availability, and the most damaging economic or social effects. This is likely to include public telecoms providers with relevant annual turnover of £1bn+.

➤ Tier 2 providers would be those medium-sized companies providing networks and services for which security compromises would have an impact on critical national infrastructure (CNI) or regional availability with potentially significant security, economic or social effects. This is likely to include public telecoms providers with relevant annual turnover in the relevant period of more than or equal to £50m, but less than £1bn.

➤ Tier 3 providers would be the smallest companies in the market that are not micro-entities. While security compromises to their networks or services could affect their customers, if those networks and services do not support CNI such compromises would not significantly affect national or regional availability.

Just to give a little context above, virtually all of the largest broadband ISPs would naturally fall into Tier 1, while the likes of medium-size ISPs (e.g. Hyperoptic with a turnover of £51.7m and Zen Internet on £82.1m) would probably fall into Tier 2. The vast majority of smaller providers would thus fall into Tier 3 and should enjoy a light touch approach.

The Government states that Tier 3 providers may choose to adopt the measures where these are relevant to their networks and services. “We welcome feedback from providers who may be considered Tier 3 on whether further specific guidance is needed to assist compliance with legal obligations.”

However, there is a catch here. Some Tier 3 providers may supply parts of networks and services owned by larger Tier 1 or Tier 2 providers. Therefore, the draft regulations stipulate that where a provider acts as a third-party supplier to another provider, they must take security measures that are equivalent to those taken by the provider receiving their services. “This requirement is intended to prevent unacceptable vulnerabilities being posed by smaller providers who may not be considered Tier 1 themselves,” which we imagine may be a problem for some companies.

UPDATE 8th March 2022

Ofcom has today begun consulting on the related guidance for telecoms providers.

Under the new framework, the regulator has a duty to ensure providers comply with their security duties, including as to the availability, performance or functionality of the network or service; and it gives Ofcom the powers to proactively monitor and enforce these duties.

The new consultation sets out the procedures they expect to follow in carrying out their monitoring and enforcement activities. “We have also proposed new guidance on which security compromises we would expect providers to report to us. We are also proposing to update our existing guidance on network resilience to reflect the new framework, and draft regulations and Code of Practice, on which the UK Government is currently consulting.”

Interested or affected parties are invited to respond to this consultation by 17th May 2022. “We plan to issue our final procedures and guidance in Autumn 2022,” said Ofcom

Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on Twitter, , Facebook and Linkedin.
Leave a Comment
2 Responses
  1. MilesT says:

    So, who would OfCom fine if there was a widespread tool driven security breach affecting multiple ISP..the tool provider? No one? Everyone?

    I’m thinking Solarwind here.

    1. boggits says:

      Each individual compromised ISP would be in scope as they’ve failed in the requirement to secure their supply chain. If they could show that they had done everything they could to protect that chain then they could use the defence of best efforts and should (depending on their argument) receive just an admonishment or reduced penalty (if they’d done some mitigation)

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Comments RSS Feed

Javascript must be enabled to post (most browsers do this automatically)

Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message. By clicking to submit a post you agree to storing your comment content, display name, IP, email and / or website details in our database, for as long as the post remains live.

Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.

NOTE 1: Sometimes your comment might not appear immediately due to site cache (this is cleared every few hours) or it may be caught by automated moderation / anti-spam.

NOTE 2: Comments that break our rules, spam, troll or post via known fake IP/proxy servers may be blocked or removed.
Cheapest Ultrafast ISPs
  • Gigaclear £17.00
    Speed: 200Mbps, Unlimited
    Gift: None
  • Community Fibre £20.00
    Speed: 150Mbps, Unlimited
    Gift: None
  • Hyperoptic £22.00
    Speed: 158Mbps, Unlimited
    Gift: None
  • Virgin Media £24.00
    Speed: 108Mbps, Unlimited
    Gift: None
  • Vodafone £25.00
    Speed: 100Mbps, Unlimited
    Gift: None
Large Availability | View All
Cheapest Superfast ISPs
  • Hyperoptic £17.99
    Speed 33Mbps, Unlimited
    Gift: None
  • Shell Energy £19.99
    Speed 35Mbps, Unlimited
    Gift: None
  • NOW £20.00
    Speed 36Mbps, Unlimited
    Gift: None
  • Virgin Media £20.00
    Speed 54Mbps, Unlimited
    Gift: None
  • Vodafone £22.00
    Speed 38Mbps, Unlimited
    Gift: None
Large Availability | View All
The Top 20 Category Tags
  1. FTTP (4114)
  2. BT (3151)
  3. Politics (2117)
  4. Building Digital UK (2026)
  5. Openreach (1969)
  6. FTTC (1922)
  7. Business (1833)
  8. Mobile Broadband (1605)
  9. Statistics (1510)
  10. 4G (1378)
  11. FTTH (1371)
  12. Virgin Media (1277)
  13. Ofcom Regulation (1241)
  14. Fibre Optic (1234)
  15. Wireless Internet (1233)
  16. Vodafone (926)
  17. EE (905)
  18. 5G (898)
  19. TalkTalk (821)
  20. Sky Broadband (787)
Helpful ISP Guides and Tips

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact