Mobile operators face fines up to £10 million if they do not comply with the Act* which became law today. By Kate O'Flaherty.
The aim of the UK's Telecoms Security Act is onus on mobiile operators to identify and reduce the risk of security compromises.
As the threat from powers such as Russia and China increases, the new Act aims to strengthen the security framework for technology used in 5G and full fibre networks – including the electronic equipment and software at mast sites as well as telephone exchanges that handle internet traffic and calls.
Yet the incoming law creates a massive challenge for mobile operators, not least because of the scale and complexity of today’s networks.
As the new Bill arrives, it becomes key for mobile operators to manage their supply chains and adopt cybersecurity best practices including vulnerability management to avoid the steep penalties that come with failing to comply.
With growing acknowledgement of the threat from Chinese vendors such as Huawei – particularly in light of increasing sanctions in the US – the Telecoms Security Bill has been on the cards for some time.
Starting in 2008
The groundwork was set in 2008, when the UK Parliamentary Intelligence and Security Committee and the Security Service (MI5) said that theoretically, the Chinese State could exploit vulnerabilities in Huawei’s equipment to access the BT network.
It was then that BT started a programme to strip Huawei and other Chinese provider ZTE’s equipment out of 3G and 4G networks, and pledged not to have any of its technology at the core of the emerging 5G network.
When the US moved to ban Huawei equipment in 2020, the UK also decided Chinese vendors should be removed from 5G networks by the end of 2027.
“Vendors had little choice and quietly accepted the imposition, starting to sever their ties with the Chinese company and replace components – at an estimated £2 billion cost over the time period,” says Philip Ingram, MBE, a Former Colonel in Military Intelligence.
Widening the scope
While “high risk suppliers” are already banned from the most sensitive core parts of the network, the Security Bill will widen this. Building on the 2003 Communications Act, the Telecoms Security Bill allows the government to be more proactive to keep the UK safe, says Ingram.
“High risk vendors are identified, and it will work with telecoms companies to ensure potential risks are identified and mitigated before they get introduced to our increasingly important networks,” he states.
Challenges of the Bill
One major challenge for mobile operators is an ageing infrastructure estate. Because this is no longer supportable, it could take significant investment to replace or rectify, says Carl Hunt, Director of Cyber Defence Services, KPMG UK.
“While operators are currently rolling out their new 5G infrastructure, many are also still running equipment that is 15 or 20 years old or more, which is a significant drain on resources.”
The Bill requires the adoption of best security practices across the board, but this in itself is a challenge for telecoms firms. Anthony Tsiopoulos, Co-Founder and Cybersecurity Lead, Weaver Labs points to the fact that there is no unified way to consult security standards and policies “in a way that can be used to efficiently create a cybersecurity strategy” for an organisation.
Another important consideration is the supply chain: operators must now ensure the companies they deal with are also following best security practices. Indeed, with the introduction of 5G and virtualisation, one of the big challenges mobile operators face is managing security within a multi-vendor supply chain and open ecosystem.
This is increasingly difficult with the extensive requirements of the new law, says Dr Nadia Doughty, Technical Consultant, BAE Systems AI. “It also demands a higher level of internal security monitoring, which will mean current security operations must scale and new solutions will be required, particularly to support creation of high trust operational environments.”
Managing vulnerability proactively
The Bill mandates that telecom providers inform the regulator Ofcom and their users of any security vulnerabilities. This is in addition to the existing requirement that the Information Commissioner's Office must be notified of a security breach.
This creates another challenge for mobile operators: How well they can see, assess, and remediate cybersecurity threats across their sprawling environments will determine their ability to comply, says Alastair Williams, Director, Solutions Engineering, EMEA, Skybox Security.
With this in mind, operators must pursue proactive rather than reactive cybersecurity, adding threat intelligence and network modelling, Williams says.
“Traditionally, cybersecurity has relied on reactive scanning and patching. Proactive cybersecurity in the modern era requires a data-driven approach that can spot vulnerabilities on mission critical assets.”
As well as using threat intelligence to manage their own level of risk including the supply chain, mobile operators should also perform attack simulations to test defenses.
This can be done through penetration testing and Red Teaming – where security professionals will act like an adversary to probe a company’s defenses.
Cybersecurity is an increasing complex issue that affects all firms, not least the telecoms companies that are considered critical UK infrastructure. With the Telecoms Security Bill about to become law, the need for operators to react is urgent.
Complying will not be simple, but it requires changes in strategy, culture and technology that will set mobile operators up for the future. After all, more regulations are coming: for example, the UK government is about to bring forward laws on IoT security.
As Williams points out: “Getting your cybersecurity house in order now creates a foundation to be able to better keep up with new laws, threats and vulnerabilities in the future.”
* This is an updated version of the original article to reflect the Bill becoming and Act and passing into law.