The UK government has given an extra year to network providers to implement its new UK telco security requirements, but has rejected many other industry requests made during a public consultation on the pending Telecommunications Security Code of Practice, set to become law in October 2022 bar parliamentary objection.
It also refused to dilute rules that will make every telco retain log data on “access to security critical functions” for at least 13 months and keep more robust asset management records.
DCMS published the results of the consultation and its response this week, as the Electronic Communications (Security Measures) Regulations now head towards parliament for their final phase of scrutiny.
The rules — which are where the rubber hits the road under the Telecommunications (Security) Act 2021 — come as the government warned that “without effective telecoms security, disruption due to cyber attacks will continue to grow, including the potential for connectivity compromises and outages that could be catastrophic”.
UK telco security rules had aimed for network autarky
HMG has watered down stark plans designed to ensure that telcos could “where necessary, operate UK networks, without reliance on overseas staff, equipment or data” that would effectively ban offshoring network security functions, however, noting that “we have amended the wording in the regulations to clarify that public network providers must only take appropriate and proportionate measures to achieve these aims” as it said on Tuesday August 30.
Regulator Ofcom has also conducted its own consultation, which it has yet to publish.
Once both sets of regulations are finalised, network operators will have a much clearer view of what they will need to do – with fines of between £100,000 or up to 10% of turnover the incentive to get it right.
The most significant change from the draft Telecommunications Security Code of Practice regulations is a delay on the earliest implementation date for some security measures – this has changed from 31 March 2023, to 31 March 2024, giving telcos a further year. Other deadlines, for more complex security measures, remain unchanged at 31 March 2025, 2027 and 2028 for Tier 1 and 2 providers, with longer for Tier 3 operators.
“One respondent noted that roughly 40% of the proposed measures in the draft code of practice were due by 31 March 2023. Multiple respondents commented that implementing these measures by 31 March 2023 would not be possible without incurring very large and disproportionate costs,” HMG noted, adding “several respondents suggested that moving at such a rapid pace to implement the measures would risk creating new security vulnerabilities in their networks, as there would be insufficient time to test and securely deploy new measures.”
But the government rejected calls for different rules around cloud providers; several respondents said requirements for third-party virtualisation fabric providers to follow the same guidelines were impractical, and would put telcos at a competitive disadvantage. But the government’s response said the regs are “designed to ensure that providers are responsible for the security of their networks and services”.
“Where certain functions are contracted with third party suppliers (including cloud services) providers must take appropriate and proportionate steps to hold those third parties accountable in line with measures in regulation 7 concerning supply chains, regardless of the type of technology chosen for delivery of services,” added the response.
The government did remove a requirement that signalling messages be reconstructed rather than just transmitted – on the basis that, as a respondent pointed out, “the technical solution which would be needed to implement this measure is currently unavailable”. Instead the UK telco security regulations now require operators to make their systems secure against signalling attacks, without requiring reconstruction.
Another change, with significance for consumer-facing operations, was the removal of a suggestion that customers should be provided with replacement customer-premises equipment (CPE) at no cost, if it goes out of support. The government still wants telcos to keep CPE secure (in contrast to the current practice of never supplying updates for years-old devices) but now says “we do not believe it is appropriate to narrowly define CPE within the regulations”.
DCMS also tweaked the guidance about how networks should be able to respond in an emergency, to require network operators to maintain connectivity within the UK – even if international connectivity is lost.
The response noted that “providers that choose to operate networks across multiple countries” were not exempt from national resilience measures – i.e. if a multinational telco can’t communicate with its systems outside the UK, it still needs to keep its British operations going.
Respondents told the government the cost impacts of the new Telecommunications Security Code of Practice would be considerable – however, as much of the burden would have come from the very short implementation period required in the draft regulations, the changes will presumably have reduced this significantly.
Even with these changes, the requirements for much tighter security – and more stringent supply chain accountability – will have a significant impact. The government said it would publish a full business impact assessment when it puts the final UK telco security regulations before parliament.
“Implementation of the measures in the code of practice cannot be considered in isolation and must be viewed in light of other significant cost burdens that providers must shoulder. The regulations and code of practice must ensure that providers address pressing risks to their network security without jeopardising other strategic priorities or investment ambitions,” HMG said this week.