UK mobile and broadband providers face fines of $117,000 a day or 10% of revenue for not following new cybersecurity rules – TechCrunch

After more than three years of preparation, the UK government today announced a new, far-reaching set of rules it will impose on broadband and mobile operators to improve their network security against cyberattacks – with the aim of being “among the strongest in the world”. when they are rolled out, the department for digital, culture, media and sport announced.

The new requirements cover areas of how (and from whom) providers can source infrastructure and services; how vendors monitor activity and access; the investments they make in their security and privacy and how they are monitored; how vendors notify stakeholders of resulting data breaches or network outages; and more. The rules will be rolled out in October, with airlines expected to fully implement the new procedures by March 2024.

Crucially, those who fail to comply with the new regulations face hefty fines: non-compliance can result in up to 10% of annual sales; Continued violations will result in fines of £100,000 ($117,000) per day. Communications regulator Ofcom, which worked with the National Cyber ​​Security Center to formulate the new regulations and codes of conduct, will enforce compliance and fines.

The Rules are the first major enforcement policies to emerge from the Telecommunications (security) lawwhich came into force in November 2021.

“We know how damaging cyberattacks on critical infrastructure can be, and our broadband and mobile networks are central to the way we live,” Digital Infrastructure Minister Matt Warman said in a statement. “We are increasing protection for these vital networks by implementing one of the most stringent telecommunications security systems in the world, protecting our communications from current and future threats.”

The emergence of new safety laws and enforcement procedures is at a crossroads.

On the one hand, as security breaches continue to increase in scope and frequency, one of the key battlegrounds in the fight against cybercrime is network infrastructure – the cellular and broadband lanes that all our apps and devices need to function. For the most part, broadband and wireless providers have set their own standards and processes, although the government pointed out today that a telecoms supply chain review it conducted “found that providers often have little incentive to adopt security best practices”.

On the other hand, there have been a number of breaches over the years that not only point to the sitting duck, the network infrastructure, but also to the failure to protect it. These included incidents where the source code could be disclosed by network operators; Exposing lax security policies to gain access to the network; and create goals out of their customers by not paying more attention to security. The state of affairs became particularly clear a few years ago when 5G networks were beginning to take shape, when there were question marks not only about how those networks would be secured, but whether the actual equipment that was being procured – Chinese vendors – was a key question at the time the legislation first took shape – was certain.

The aim of the new rules is to be all-encompassing, covering not only how networks are built and operated, but also the services that run on them.

As the government states, “they protect the data processed by their networks and services and secure the critical functions that enable their operation and management; protection of software and equipment that monitor and analyze their networks and services; [require providers to] having a deep understanding of their security risks and the ability to recognize when anomalous activity is taking place, with regular reporting to internal committees; Consider risks in the supply chain and understand and control who has access to their networks and services and can make changes to operations to increase security.”

Notably, the new laws do not include specific company or country names, which gives the government permission to change course but could be seen as a way to further politicize the process.

“We increasingly rely on our telecommunications networks for our daily lives, our economies and the essential services we all use,” said NCSC Technical Director Dr. Ian Levy, in a statement. “These new regulations will ensure that the security and resilience of these networks and the equipment they support are appropriate for the future.”