The UK Telecommunications (Security) Act 2021 recognises the vital role that telecommunications plays in the modern world. Indeed, the government intends to quickly and dramatically expand the availability of gigabit-capable broadband and full fibre coverage across the nation, and security breaches or outages could be catastrophic. Therefore, it is imperative to strengthen the security and resilience of the underlying infrastructure, especially as cyberattacks have become both more relentless and more sophisticated.
The Telecommunications Act establishes a new security framework to help achieve these goals. At a high level, it requires providers of public electronic communications networks and services to both reduce the risk of security compromises and prepare for their occurrence through effective threat prevention, detection, response and recovery measures. This article provides the details you need to begin your journey to compliance.
Timelines and penalties
Getting started promptly with the Telecommunications Act is urgent. Larger (Tier 1) telecom providers are expected to implement the most straightforward and least resource-intensive measures by 31 March 2023, the next level of measures by 31 March 2025, and the most complex and resource-intensive measures by 31 March 2026. Smaller (Tier 2) providers have longer timelines, since compromises to their networks and services are likely to have less impact on public connectivity and the costs of achieving compliance will be proportionately higher for them.
OFCOM, the UK’s communications regulator, is responsible for monitoring and enforcing compliance with the Telecommunications Act. Financial penalties for non-compliance can reach up to £100,000 a day.
Background and objectives
The Telecommunications Act draws upon a variety of research and analysis. In particular, the DCMS Supply Chain Review of July 2019 recommended the establishment of a robust security framework with a set of telecoms security requirements (TSRs) for protecting networks and services, maintaining high availability, and ensuring the confidentiality and integrity of data. And the National Cyber Security Centre (NCSC), the UK’s national technical authority for cybersecurity, performed an extensive analysis of the risks facing the telecom sector and offered technical recommendations for improving security.
The objectives of the new telecoms security framework are detailed in the National Cyber Strategy 2022: “First, the nature of the risk needs to be understood. Second, we need action to secure systems to prevent and resist cyber attacks. Third, recognising some attacks will still happen, we need to prepare for these, to be resilient enough to minimise their impact and be able to recover.”
Key requirements
Specifically, the Telecommunications Act 2021 amends the Communications Act 2003, introducing new requirements on providers of public electronic communications networks and services concerning security compromises. The first four sections outline the duties of providers.
Section 1
Section 1 of the Telecommunications Act lays out the “Duty to take security measures.” It specifies that telecom providers must take appropriate measures to:
- Identify the risks of security compromises occurring
- Reduce the risks of security compromises occurring
- Prepare for the occurrence of security compromises
A “security compromise” includes anything that compromises the availability, performance or functionality of the network or service, or the security or confidentiality of data being stored or transmitted.
Section 2
Section 2 of the Telecommunications Act concerns the “Duty to take measures in response to security compromises.” Providers must take implement appropriate measures to prevent adverse effects arising from a security compromise, and for remedying or mitigating adverse effects that occur.
Section 3
Section 3 empowers the Secretary of State to issue, revise and withdraw codes of practice that provide guidance as to the measures to be taken to satisfy the duties detailed in sections 1 and 2.
Section 4
Section 4 of the Telecommunications Act requires providers of a public electronic communications network or a public electronic communications service to inform two sets of stakeholders about potential or actual security compromises:
- Users —Where there is a significant risk of a security compromise occurring, the provider of the network or service must take reasonable steps to provide users of that network or service who might be affected by the compromise with relevant information, expressed in clear and plain language.
- OFCOM — The provider must inform OFCOM as soon as reasonably practicable about any security compromise that has a significant effect on the operation of the network or service, or that could enable a further security compromise that would have such an effect.
How to get started today
Quest is uniquely positioned to help you achieve, maintain and prove compliance with many requirements of the UK Telecommunications Act. We offer a broad portfolio of solutions and professional services that help organisations around the world modernise and protect their IT ecosystems to increase cyber resilience — efficiently and effectively. If your organisation is affected by the UK Telecommunications Act, the following areas are a great place to start your path to compliance.
Attack path management
Identity-based attacks enable adversaries to compromise legitimate user and administrator accounts and thereby gain a foothold in your network. From there, they can move laterally and stealthily escalate their privileges until they can damage vital systems and services or exfiltrate sensitive data.
These cyberattacks are relentless: Microsoft reports more than 25 billion attacks were attempted on Active Directory (AD) accounts in 2021 alone. Unfortunately, in most organisations today, an adversary who compromises an AD user account is likely to be just a handful of steps away from the organisation’s most valuable IT assets — or even total control of Active Directory itself. What’s more, that’s true even if the IT team has implemented the core security practices of robust patch management, vulnerability management, and threat detection and response. Since Active Directory is the beating heart of the IT ecosystem, providing the vital authentication and authorisation services required for the business to operate, when AD goes down, your business goes down with it.
The steps that could give an adversary such power comprise an attack path. And there is only one solution on the market that provides attack path management for Active Directory: SpecterOps BloodHound Enterprise from Quest. This tool will map out the attack paths in your AD, prioritise them according to risk and provide clear guidance on remediation. As a result, it can help you comply with several of the core duties under the Telecommunications Act:
- Identify the risks of security compromises occurring
- Reduce the risks of security compromises occurring
- Prevent adverse effects arising from a security compromise
For more information, I highly recommend the free e-book, “Level up your Active Directory security with attack path management.”
Threat detection and prevention
BloodHound Enterprise helps you uncover the hidden attack paths that put your organisation at risk — but most providers will find that they cannot promptly remediate all attack paths for fear of breaking critical business processes. Moreover, both IT environments and the threat landscape are constantly evolving, so new attack paths are emerging all the time.
Therefore, it’s vital to complement BloodHound Enterprise with On Demand Audit Hybrid Suite from Quest. This comprehensive SaaS solution tracks changes made across your hybrid IT environment to proactively uncover threats, and accelerates incident investigations through responsive search and interactive data visualisations. It helps you monitor attack paths that you have not yet been able to remediate, and can even prevent critical changes that could otherwise lead to a breach. As a result, it helps you further identify and reduce the risk of security compromises and prevent adverse effects.
Business resilience
No matter how strong your defences are, you need to be prepared for the worst. A cyberattack, a natural disaster or an innocent mistake by an administrator could disrupt vital business operations or even bring your IT ecosystem to a standstill. The Telecommunications Act requires providers to prepare for such events and be able to mitigate their impact on users.
Recovery Manager for Active Directory Disaster Recovery Edition from Quest helps you establish an effective and compliant recovery plan. You can quickly restore individual objects or attributes to minimize disruption to critical workflows, as well as be prepared for ransomware and other devastating events that take down your entire Active Directory. Its extensive automation slashes AD forest recovery time from days or weeks to just hours, giving you peace of mind that an AD disaster will not become a business disaster or compliance nightmare. Moreover, Recovery Manager protects your AD backups from compromise and eliminates the risk of malware reinfection, and empowers you to choose the best recovery method for a given situation. Pair Recovery Manager with On Demand Recovery for comprehensive disaster recovery across your hybrid AD environment.
To learn more, read the white paper, “How Active Directory recovery strengthens cyber resilience.”
Conclusion
The Telecommunications Act imposes important new duties on providers of public electronic communications networks and services to both reduce the risk of security compromises and prepare for their occurrence. With the first implementation data of March 2023 approaching quickly and penalties of up to £100,000 a day looming large, getting started is imperative.
Quest is uniquely positioned to help. We can help you achieve, maintain and prove your compliance with identity-centred cyber resilience and enterprise backup and recovery solutions, along with unsurpassed professional services and technical support.