The UK’s new Telecommunications (Security) Act 2021 places unprecedented security responsibilities on the shoulders of CSPs and operators with the aim of ensuring the security of the national communications framework. What are the obligations of CSPs under the new act, and how can they transform business and security processes to meet them?
Communications networks are evolving at significant speeds. 5G standalone, new Fixed 5G and ongoing transformation across all domains are bringing new levels of performance. At the same time, cyber threats are also increasing. Add in the growing deployment of network-based artificial intelligence (AI) into the mix and it becomes clear that there are multiple vulnerability points for malicious actors to target.
Public and private organisations working in security tandem
Telecoms operators and communications service providers (CSPs) are now as vulnerable to cyber threats as any other business. Notably, their networks and/or services usually constitute a significant component of critical national infrastructure and national security. So, ensuring their security at every vulnerability point is paramount.
That’s why governments and operators around the world are increasingly working in tandem to secure national communication infrastructure assets. The recent and well-documented removal of equipment manufactured by Chinese giant Huawei from western 5G networks reflects this renewed focus on ensuring the complete security of the communications infrastructure.
As a result, governments and regulators are increasingly placing more responsibility on equipment providers and CSPs to ensure security throughout their network and throughout the entire supply chain too.
The UK Telecommunications (Security) Act 2021
One example of this was the introduction by the UK government of the Telecommunications (Security) Act (TSA) in 2021, which essentially gives the UK’s communications regulator Ofcom powers to intervene in the practices of CSPs concerned with security, and places more legal responsibility on CSPs to ensure compliance with specified security measures.
The TSA provides a comprehensive security framework for identifying and mitigating risk throughout the communications infrastructure and imposes stronger overarching security duties on CSPs. The framework comprises three layers:
- Strengthened overarching security duties on public telecoms providers, which are set out in sections 105A and 105C of the Act.
- Specific security measures and requirements as set out in the Electronic Communications (Security Measures) Regulations 2022.
- Technical guidance set out in the supporting 2022 Telecommunications Security Code of Practice, which defines the government’s preferred approach to demonstrating compliance with the duties in the TSA and the requirements within the regulations.
The TSA itself outlines several themes that are now the responsibility of CSPs to implement. For example, CSPs must be able to identify the risks around security compromises and must take action to reduce and mitigate these risks. The TSA also demands the implementation of continuous evaluation and that CSPs continually and proactively review processes to identify and prevent potential future security breaches. Should a breach occur, CSPs are responsible for informing those who may be adversely affected (including network providers) and must update the regulator as soon as reasonably practicable.
It marks a switch from the previous reactive, siloed-based approach to a proactive, network-based approach that promotes resilience and security throughout the infrastructure and a diversified supply chain to mitigate risk.
The Electronic Communications (Security Measures) Regulations 2022 and the 2022 Telecommunications Security Code of Practice
The TSA is supported by the Electronic Communications (Security Measures) Regulations 2022, which provides 16 regulations outlining multiple security measures that CSPs are expected to put in place, including the duty to:
- Protect stored data, and to secure the critical functions that operate and manage these processes.
- Protect network monitoring and analysis tools from hostile state actors.
- Monitor public networks to identify potentially dangerous activity, to have a deep understanding of their security risks and to report regularly to internal boards.
- Take account of supply chain risks and understand/control who can access and make changes to the operation of their networks and services.
The 2022 Telecommunications Security Code of Practice, meanwhile, provides technical guidance on how CSPs should apply the TSA and the electronic communications regulations. For example, Section 2 covers concepts such as:
- Network Architecture
- Protection of data and network functions
- Prevention of unauthorised access or interference
- Preparing for remediation and recovery
- Governance
- Patching and updates
The code of practice also groups providers into three tiers based on operational scale (to avoid placing an unfair burden on smaller CSPs), each with its own level of obligation and implementation date.
Importantly, these obligations also apply to providers and equipment suppliers throughout the entire supply chain – and those supplying Tier 1 and Tier 2 CSPs must adhere to the same implementation timetables as their customers.
Strict penalties for TSA non-compliance. Act now to ensure compliance
Given the implementation deadlines, the new act, requirements, and code of practice require CSPs to start building their compliance requirements into the network as a matter of urgency.
For example, CSPs that do not meet their deadlines or meet their new security responsibilities face financial penalties – up to a maximum of 10% of their annual turnover, and, in the event of a continuing failure to comply, a rolling fine of £100,000 per day.
It’s imperative therefore that CSPs act now. Of course, this is a daunting prospect, and the automation of processes and policies is the only realistic way to meet the new requirements – sticking to legacy manual-based approaches is not an option, particularly given the complexities of the new network.
This is baked into the act. Section 2.63 of the Code of Practice explicitly covers automation, stating:
“Automation allows for rapid prototyping and testing of new features, security patches and changes. This approach supports network resilience by limiting errors caused by human interaction and by allowing quicker remediation should issues occur. The approach supports network security by increasing the speed at which updates and changes can be made, allowing the provider to keep pace with the threat environment.”
The importance of operational and network automation in meeting TSA requirements
But automation isn’t just a means to achieve compliance. By building automation into the fabric of the infrastructure and operational processes (either retrospectively or from the ground up) CSPs will also gain the flexibility, scalability, and agility required to survive competitively. In the new era, the provision of differentiated services and optimum Quality of Experience (QoE) will not just define success but are a business imperative for survival.
5G networks, enhanced fixed transport and connectivity, new use cases, and the IoT are set to generate vast volumes of data, and automation is essential for monitoring, collecting, and exchanging this data – a manual approach is not an option. From a security perspective, automation eliminates human error and removes the potential for malicious human intervention.
Importantly, automation can monitor real-time security incidents and breaches, act to limit exposure, and alert providers to potential issues before they impact customers. Every step of the process is a potential vulnerability, so employing automated workflows can narrow this security gap.
As a result, automation is inevitable not just from the perspective of digital transformation, but also from a regulatory perspective. So, how can CSPs make this transformation easier?
We Are CORTEX can help you to manage this transition to ensure optimised business operations and security practices to achieve compliance with the TSA and flourish.
We Are CORTEX offers proven, network-hardened solutions that enable CSPs to navigate automation journeys – and to ensure compliance with regulations, such as the TSA, which require significant internal transformation. Our simple, OPEX-based model means you only pay for what you use, with clear annual licensing costs, and rapid deployment.
To find out how We Are CORTEX has already helped CSPs and operators to automate business and security processes – securing operational excellence and achieving compliance with the obligations of the TSA, download our latest paper below.