Gov Publish Response to Revision of UK Telecommunications Security Code
The UK Government (DSIT) has today published its response to a planned revision of the Telecommunications Security Code of Practice (2022), which will update the code to reflect changes in what sort of specific security measures public telecoms providers (broadband, mobile etc.) must take in order to protect their networks from attack.
Just to recap. The original code was an extension of the wider Telecommunications (Security) Act 2021 (summary), which itself was originally introduced to restrict the use of Huawei’s kit in UK telecoms networks, while also imposing a variety of changes to make related networks safer from cyberattack.
The law and its supporting Code handed new powers to the Government and Ofcom, enabling them to intervene in how network operators run their business, manage supply chains, design and even operate networks. Fines of up to 10% of turnover or £100,000 a day can even be issued against those that fail to meet the required standards, albeit tiered to different sizes of provider.
Advertisement
However, the code is designed to be periodically updated as “new threats emerge and technologies evolve“, which is what the government proposed to do last year when it launched a related consultation (here). The government has now responded to that consultation with their planned revisions to the draft code (here) – see tracked changes (PDF).
Many of the changes are focused on providing additional guidance and clarity, particularly in relation to how operators should handle evolving technologies like mobile eSIMs, Small Cells, modern encryption and APIs etc. The code has also been updated to reflect the need for tackling hostile-state-linked attacks, while separately opting to partly roll back on the proposed addition of ‘Business Support Systems’ – respondents felt this was too broad and risked bringing a wide range of IT systems into scope that are not relevant to network security (business support systems are still technically covered, in certain circumstances).
The update also reemphasises the need to take a holistic, risk-based approach to the Code of Practice, which aims to encourage delivering a security approach that considers the Code in its entirety, rather than taking individual security measures in isolation. But this is still sometimes at odds with Ofcom’s compliance monitoring approach that drives some providers towards more of a ‘checklist’ approach.
Overall, most of the changes appear to be fairly small to modest, although we’ve only skimmed through what is quite a long and laborious read. The revised draft will now need to be laid before parliament before being formally introduced. The draft covers a much wider set of changes than we can easily summarise here, so those with an interest are advised to read it.
Advertisement
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Government Confirms Sir Ian Cheshire as Ofcom’s New UK Chairman
Openreach’s FTTP Broadband Take-up in Wales Nears 50 Percent »
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real person's legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
So where was this when infosys was handed over UK information??