Telecoms network and service providers to implement new security measures in UK by 2024

The stated goal of the UK government, as described by Matt Warman, the minister for digital infrastructure, has been to ensure that the UK has "one of the strongest telecoms security regimes in the world".

In an attempt to protect the UK telecoms network against hostile cyberattacks, the Telecommunications (Security) Act 2021 came into force in November 2021 and introduced a stronger security framework for providers of public electronic communications networks and services and tighter restrictions on the supply of services by "high risk vendors" into sensitive core parts of UK 5G and full fibre networks.

Using the powers granted to it under the Telecoms Security Act, the UK government has now consulted on a draft regulation and code of practice intended to address security risks to public telecoms networks and services.

The Telecoms Security Act introduced the definition of a "security compromise" as "anything that compromises the availability, performance, functionality or confidentiality of the network, allows unauthorised access or interference, or causes signals or data to be lost or altered without the provider's permission" and it is this secondary legislation which sets out the detail of what is expected of telecoms providers.

For some providers, these will feel like a step-change from current expectations and will require significant consideration, effort and cost by telecoms providers to ensure that they meet the new requirements. Although the implementation dates are starting from 2024, some of the changes required will take time to consider and implement and telecoms providers should act now to ensure they have sufficient time to comply.

Consultation

In March 2022, the Department for Culture, Media and Sport began a 10-week public consultation on drafts of the Electronic Communications (Security Measures) Regulations and Telecommunications Security Code of Practice.

The consultation on the regulations and code of practice received 38 responses, including from telecoms providers, telecoms suppliers and industry trade bodies.

The most significant change to the code of practice as a result of the consultation responses was a delay of the earliest implementation date for the most straightforward and least resource-intensive measures from 31 March 2023 to 31 March 2024.

Security measures regulations

The regulations set out specific security measures that telecoms providers must undertake, providing legal clarity on the obligations imposed by the Telecoms Security Act as well as highlighting the areas which require the most focus in order to secure networks and services.

The overriding themes of the measures set out in the regulations are that telecoms providers must:

• identify the risks of security compromises
• take measures to reduce these risks
• constantly review existing processes and prepare for the occurrence of a security compromise

The detailed technical measures include security by design, requirements as to monitoring and scrutiny of supply chains.

Security by design

Networks need to be designed and maintained (and redesigned if necessary) to ensure the security of the network at all times. Network providers will need to ensure that its network is capable of being operated without reliance on persons, equipment or stored data located outside of the UK.

Monitoring and analysis

Tools for the monitoring and analysis of the network functioning should be maintained within the UK and security logs relating to security critical function access must be retained for at least 13 months, with systems in place to monitor unauthorised changes to the most sensitive parts of the network or services.

Supply chain

There is increased scrutiny on the arrangements with third party suppliers to help to identify and reduce risks of security compromise, as well as the suppliers of their suppliers.

Telecoms providers will need to:

• assess how third party suppliers (and the formation, existence and termination of the arrangements with those suppliers) may be impacted by security compromises
• review and update its contractual arrangements with suppliers
• ensure that there are written contingency plans in place in the event that supply is interrupted
• ensure there is no single point of dependence on equipment providers for any part of the network which connects directly to customers or performs the associated transmission functions.

Board-level security officer and competent staff

An officer with board-level responsibility needs to be assigned oversight of new governance processes and they must be given sufficient authority to have effective management of staff responsible for taking security measures within the organisation. It is also necessary to ensure that all staff that manage the network security are suitably skilled and experienced and are given the resources to enable them to fulfil their duties effectively.

Review and testing

Security reviews and written assessments will need to be conducted at least every 12 months as well as regular security penetration testing. Testing not only needs to effectively test the security systems but also the staff and processes, and must therefore be planned without notice to staff.

Patches

Security patches must be applied within 14 days unless there are particular circumstances which warrant a longer period, in which case appropriate records recording the reasons and mitigation measures used must be kept.

Information sharing

Telecoms providers are required to share information with other telecoms providers (subject to compliance with telecoms laws) to help the industry mitigate and remedy issues caused by security compromises.

Micro-entities exemption

Micro entities are exempt from compliance with the regulations. Micro-entities are business that satisfy at least two of the following criteria, and have not exceeded these thresholds for two consecutive financial years since it was set up:

• turnover of no more than £632,000
• balance sheet of no more than £316,000
• no more than 10 employees

Code of practice

The code of practice sets out what good telecoms security looks like, contains guidance on how telecoms providers can comply with the regulations, explains key principles and provides technical guidance on the measures that can be taken to demonstrate compliance with the legal obligations under the Telecoms Security Act and the regulations.

As the regulations do not set out the detailed technical expectations of telecoms providers but require "appropriate and proportionate" measures to be applied, the code of practice helps to clarify what is considered appropriate and proportionate reflecting the differences between public electronic communications networks and services, whether that is a difference in size and scale or its criticality. By using a three-tier system based on the telecoms provider's annual relevant turnover, the code will apply differently to each tier.

The provisions set out in the code are not legally binding, however Ofcom must take into account a provision of it in determining whether a telecoms provider has complied with the regulations. In circumstances where a telecoms provider has chosen to implement a different approach to the code, Ofcom will expect to see a robust assessment of how the measures taken were appropriate and proportionate in the circumstances to ensure compliance with the regulations.

The tiers are:

• Tier 1 – public telecoms providers with relevant turnover in the relevant period exceeding £1bn - the largest telecoms providers for which a security compromise would be the most damaging and would have the largest impact on availability.
• Tier 2 – public telecoms providers with relevant turnover in the relevant period between £50m and £1bn - medium sized companies for which a security compromise would not be as damaging as in Tier 1, but it would have an impact on critical national infrastructure, with significant economic/social and security effects.
• Tier 3 – public telecoms providers with relevant turnover in the relevant period which is less than £50m - the smallest companies (to the extent they are not micro-entities) for which security compromises would not significantly affect national or regional availability.

When will it be in force?

The new regulation is expected to come into force on 1 October 2022, and will have a varying implementation period depending on the level of work required to implement the measures.

Initially the proposal was to have a six month implementation period for the most straightforward measures, but following consultation responses, telecoms providers have been given an extra year to implement these measures, although the government indicated that while telecoms providers should be afforded the appropriate time to introduce them, the quicker telecoms providers are able to implement the measures the better.

Tier 1 telecoms providers will now be expected to implement measures on the following timeframe:

• 31 March 2024: the most straightforward and least resource intensive measures (for example, maintaining accurate records of all externally-facing systems)
• 31 March 2025: relatively low complexity and low resource intensive measures (such as phasing out the use of SIMs which present an unmitigable security risk)
• 31 March 2027: more complex and resource intensive measures (for instance, ensuring that all data sharing with third party suppliers shall be over an encrypted and authenticated channel)
• 31 March 2028: the most complex and resource intensive measures (for example, automating administrative processes wherever possible, with manual administration creating an alert where amendments have been made to security critical functions)

Tier 2 implementation timelines broadly follow those for Tier 1 (except for the most straightforward and least resource intensive measures which will be a year later for Tier 2) and Tier 3 providers will have longer periods.

Next steps

The regulations will be put to Parliament for scrutiny, with the intention for them to come into force on 1 October 2022. The code of practice will also be put to Parliament and if neither House resolves against the draft within 40 sitting days, then it will be published in its final form.

Ofcom, which is responsible for monitoring and assessing the security of telecoms providers, has also conducted its own consultation on new guidance for telecoms providers following the introduction of the Telecoms Security Act, which it is yet to publish. The proposed guidance focuses on a sub-set of "security compromises" which relate to the resilience of networks and services, in terms of availability, performance or functionality – known as "resilience incidents".

Telecoms providers should look out for further updates, as the proposed guidance will set out how Ofcom intends to use its powers in relation to resilience; providing general observations and specific examples of resilience incidents which will inform the regulator's approach to monitoring resilience.

For the purposes of applying the guidance set out in the code, telecoms providers will need to understand which tier they fall into. Any existing tier designation will apply to a telecoms provider until either of the following criteria are met:

• the telecoms provider has been outside of their existing tier’s range for at least two years, or
• the telecoms provider is above or below their existing tier’s range by more than £10 million.

This approach will ensure that changing tiers reflects a true change in the growth or reduction of a telecoms provider’s business operations, rather than seasonal or other short term changes in relevant turnover.

Failure to comply with the regulations could result in fines of up to 10% of their annual turnover or £100,000 per day for ongoing breaches. Further information on how Ofcom will use its power and regulate this framework will be contained within its proposed guidance.