New UK Telecoms and Internet Security Code to Go Live in October

The UK Government has announced that network providers (e.g. broadband ISPs and mobile operators) will become subject to new regulations – under the Telecommunications (Security) Act – from 1st Oct 2022, which aside from restricting the use of Huawei, will also impose changes to make networks safer from cyberattack.

Just to recap. The TSA became law in November 2021 (full summary). The goal was to impose stronger legal duties on public telecoms providers to help defend their networks from cyber threats, which could cause network failure or the theft of sensitive data. Few could disagree with that desire, although politicians – who tend not to fully understand how such networks work in the real-world – are often terrible at getting technical rules right.

The new framework hands significant new powers to the Government and Ofcom, enabling them to intervene in how telecommunications companies run their business, manage supply chains, design and even operate networks. Fines of up to 10% of turnover or £100,000 a day will be issued against those that fail to meet the required standards, which would be a particularly big burden for smaller players.

Digital Infrastructure Minister, Matt Warman, said:

“We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life.

We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats.”

The related Code of Practice (CoP) for all this puts telecoms providers into three “tiers”, which are filtered according to size and importance to UK connectivity (i.e. the smallest players see softer regulation). Tier 1 providers are the biggest players (e.g. BT, Vodafone, Virgin Media / VMO2 etc.), while Tier 2 providers are medium-sized players (e.g. Hyperoptic, Zen Internet) and Tier 3 reflects the smallest companies (those that are not micro-entities).

One catch above is that some smaller providers may supply parts of networks and services owned by larger Tier 1 or Tier 2 providers. In that case, the regulations stipulate that where a provider acts as a third-party supplier to another provider, they must take security measures that are equivalent to those taken by the provider receiving their services.

Telecoms providers will be legally required to:

➤ Protect data stored by their networks and services, and secure the critical functions which allow them to be operated and managed;

➤ Protect tools which monitor and analyse their networks and services against access from hostile state actors;

➤ Monitor public networks to identify potentially dangerous activity and have a deep understanding of their security risks, reporting regularly to internal boards; and

➤ Take account of supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services.

The Government, which has been consulting on the implementation of all this since March 2022 (here), have today issued their response (here). Overall, there were 38 responses to the consultation, from public telecoms providers, industry trade bodies and telecoms suppliers etc. As a result of this, a number of changes have been made to the regulations, which may help to soften the blow a bit. We’ve summarised some of them below.

Changes to the Regulations Post-Consultation

➤ The draft code stipulated that providers should offer their customers a no-additional-cost replacement of customer premises equipment (e.g. broadband routers) supplied by that provider, once that equipment had gone out of third party support. But operators warned that the cost of doing this would be extreme. The Government have thus amended the draft code of practice to remove the suggestion that providers should replace CPE at no extra cost to the customer.

➤ The implementation timeframes for Tier 1 providers are now aligned with the Tier 2 timeframes, with the exception of the timeframes for the most straightforward and least resource intensive measures. Tier 1 providers will, therefore, now be expected to:

– implement the most straightforward and least resource intensive measures by 31 March 2024
– implement relatively low complexity and low resource intensive measures by 31 March 2025
– implement more complex and resource intensive measures by 31 March 2027
– implement the most complex and resource intensive measures by 31 March 2028

This approach, said the Government, would ensure that all public providers are afforded appropriate time to implement measures while preserving the need for new security measures to be introduced as soon as is feasible. Previously they sought some implementation by 31st March 2023 and that, complained operators, would have been very costly and difficult to achieve.

➤ Clarifications were made to ensure security measures are targeted at the parts of networks most in need of protection, like new software tools that power 5G networks. In addition, it’s specifically noted that private networks are NOT in scope of the new security framework introduced by this Act.

➤ Inclusion of further guidance on national resilience, security patching and legacy network protections, to help providers understand actions that need to be taken.

Despite the changes, it remains a reality that practically applying such rules to hugely complex national telecommunications networks, with global connectivity and supply chains to consider, will not be so easy (i.e. modern software, internet services and hardware is all produced with bits and pieces, as well as connectivity, from across the world). Much will also depend upon Ofcom’s approach, which we’re still waiting to see (here).

The related Electronic Communications (Security Measures) Regulations will now be laid in Parliament for Parliamentary scrutiny under the negative procedure. It is intended that the regulations will subsequently come into force on 1st October 2022. On the same day as the regulations, the draft Telecommunications Security Code of Practice will also be laid in Parliament, in accordance with Section 105F of the Communications Act 2003. If neither House resolves against the draft code of practice within 40 sitting days, it will then be issued and published in final form.

Ofcom will regulate the new framework in accordance with its new functions under the Act to seek to ensure that public telecoms providers comply with their security duties. Ofcom has a clear remit to work with public telecoms providers to improve the security of their networks and services and monitor their compliance, including the power to request information.

The regulator is expected to begin this process in advance of the first implementation timeframes in the draft code of practice, which are set for completion by 31st March 2024. Ofcom will naturally produce its own procedural guidance on its approach to monitoring and enforcing industry’s compliance with the security duties, and has consulted publicly on a draft of this.