Original article ISPreview UK:Read More
The UK Government (DSIT) has today published its response to a planned revision of the Telecommunications Security Code of Practice (2022), which will update the code to reflect changes in what sort of specific security measures public telecoms providers (broadband, mobile etc.) must take in order to protect their networks from attack.
Just to recap. The original code was an extension of the wider Telecommunications (Security) Act 2021 (summary), which itself was originally introduced to restrict the use of Huawei’s kit in UK telecoms networks, while also imposing a variety of changes to make related networks safer from cyberattack.
The law and its supporting Code handed new powers to the Government and Ofcom, enabling them to intervene in how network operators run their business, manage supply chains, design and even operate networks. Fines of up to 10% of turnover or £100,000 a day can even be issued against those that fail to meet the required standards, albeit tiered to different sizes of provider.
However, the code is designed to be periodically updated as “new threats emerge and technologies evolve“, which is what the government proposed to do last year when it launched a related consultation (here). The government has now responded to that consultation with their planned revisions to the draft code (here) – see tracked changes (PDF).
Many of the changes are focused on providing additional guidance and clarity, particularly in relation to how operators should handle evolving technologies like mobile eSIMs, Small Cells, modern encryption and APIs etc. The code has also been updated to reflect the need for tackling hostile-state-linked attacks, while separately opting to partly roll back on the proposed addition of ‘Business Support Systems’ – respondents felt this was too broad and risked bringing a wide range of IT systems into scope that are not relevant to network security (business support systems are still technically covered, in certain circumstances).
The update also reemphasises the need to take a holistic, risk-based approach to the Code of Practice, which aims to encourage delivering a security approach that considers the Code in its entirety, rather than taking individual security measures in isolation. But this is still sometimes at odds with Ofcom’s compliance monitoring approach that drives some providers towards more of a ‘checklist’ approach.
Overall, most of the changes appear to be fairly small to modest, although we’ve only skimmed through what is quite a long and laborious read. The revised draft will now need to be laid before parliament before being formally introduced. The draft covers a much wider set of changes than we can easily summarise here, so those with an interest are advised to read it.