UK mobile and broadband carriers face fines of $117K/day, or 10% of sales, if they fail to follow new cybersecurity rules

More than three years in the making, the U.K. government today announced a new, sweeping set of rules it will be imposing on broadband and mobile carriers to tighten up their network security against cyberattacks — aimed at being “among the strongest in the world” when they are rolled out, said the Department for Digital, Culture, Media and Sport.

The new requirements cover areas such as how (and from whom) providers can procure infrastructure and services; how providers police activity and access; the investments they make into their security and data protection and the monitoring of that; how providers inform stakeholders of resulting data breaches or network outages; and more. The rules will start to get introduced in October, with carriers expected to fully implement new procedures by March 2024.

Critically, those who fail to comply with the new regulations will face big fines: non-compliance can result in up to 10% of annual revenues; continuing contraventions will see fines of £100,000 ($117,000) per day. Communications regulator Ofcom, which worked with the National Cyber Security Centre to formulate the new regulations and code of practice, will enforce compliance and fines.

The rules are the first big enforcement directives to come out of the Telecommunications (Security) Act, which was voted into law in November 2021. 

“We know how damaging cyber attacks on critical infrastructure can be, and our broadband and mobile networks are central to our way of life,” Digital Infrastructure Minister Matt Warman said in a statement. “We are ramping up protections for these vital networks by introducing one of the world’s toughest telecoms security regimes which secure our communications against current and future threats.”

The emergence of the new security laws and enforcement process comes at a crossroads.

On one hand, as security breaches continue to grow in scope and frequency, one of the most significant battlegrounds that has emerged in the fight against cybercrime has been network infrastructure — the mobile and broadband rails that all of our apps and devices need to function. For the most part broadband and mobile providers have set their own standards and processes, although the government today pointed out that a Telecoms Supply Chain Review that it carried out “found providers often have little incentive to adopt the best security practices.”

On the other, there have been a number of breaches over the years that point not just to the sitting duck that is network infrastructure, but the failure to protect it. These have included incidents that threaten to reveal carriers’ source code; exposure of lax security policies to gain network access; and creating targets out of their customers by not being stronger on security. The state of play was particularly laid bare a few years ago as 5G networks were starting to take shape, when there were question marks over not just how those networks would be secured, but whether the very equipment that was being procured — Chinese vendors being a key issue at the time that the legislation was first taking shape — was safe.

The aim of the new rules is meant to be all-encompassing, covering not just how networks are being built and run, but the services that run on them.

As the government lays out, they “protect data processed by their networks and services, and secure the critical functions which allow them to be operated and managed; protect software and equipment which monitor and analyze their networks and services; [require providers to] have a deep understanding of their security risks and the ability to identify when anomalous activity is taking place with regular reporting to internal boards; and take account of supply chain risks, and understand and control who has the ability to access and make changes to the operation of their networks and services to enhance security.”

Notably the new laws do not lay out any specific names of companies, nor of countries, which gives the government license to change course, but might be seen as a way to further politicize the process.

“We increasingly rely on our telecoms networks for our daily lives, our economy and the essential services we all use,” said NCSC Technical Director Dr Ian Levy in a statement. “These new regulations will ensure that the security and resilience of those networks, and the equipment that underpins them, is appropriate for the future.”