UK Weakens Telecoms Cybersecurity Protections Amid Industry Pushback Against Chinese Threats

Britain has recently scaled back proposed cybersecurity measures for its telecommunications networks, initially designed in response to the Salt Typhoon espionage campaign. This decision follows significant lobbying from telecom companies concerned about the costs and practicality of implementing these measures. The implications of this rollback are significant, particularly in the context of rising cyber threats linked to state actors.

The Salt Typhoon campaign, attributed to Chinese hackers, has raised alarms globally, with the National Cyber Security Centre (NCSC) noting that these hackers have targeted critical sectors worldwide, including a notable cluster of activity in the UK. However, neither the British government nor the telecom industry has confirmed any compromises to networks within the UK.

Tensions Between Industry and Government

The decision to dilute cybersecurity protections highlights an ongoing tension between the telecommunications sector and government authorities. Security and intelligence officials have observed a pattern where the industry seeks government assistance against state-sponsored threats but simultaneously resists the access and obligations necessary for effective defense. A senior official from a NATO ally recounted an instance where a major telecom company requested help against suspected Chinese hackers but declined to grant access to its network when asked by the agency.

Historically, this dynamic was not prevalent. Ciaran Martin, the founder of the NCSC, noted that telecom executives previously sought regulation, arguing that legal compulsion was necessary to justify security investments to shareholders.

In August, the Department for Science, Innovation and Technology (DSIT) proposed new cybersecurity measures as part of a consultation aimed at updating the code of practice for telecom providers. This initiative was a direct response to state-linked attacks on U.S. telecom networks, which came to light following the Salt Typhoon incidents.

Industry Response and Consultation Outcomes

Major telecom companies, including BT, VMO2, Vodafone, Sky, Ericsson, and Amazon Web Services, participated in the consultation process. TechUK, the industry trade body, coordinated a collective response through its Telecoms Security and Diversification Working Group. Despite the outreach, no statements were provided by these organizations at the time of publication.

TechUK asserted that it had been “actively involved throughout” the development of the code and claimed that the framework was “appropriate, proportionate, and technically workable in practice.” However, when the government responded to the consultation, many of the most critical measures were either dropped or delayed, a development that had not been previously reported. The revised code is set to take effect in mid-July unless either House of Parliament intervenes.

The code is issued under the Telecommunications (Security) Act 2021, which mandates providers to adopt appropriate and proportionate security measures. Although it serves as guidance rather than enforceable law, Rob Bratby, managing partner of Bratby Law, indicated that it acts as a “yardstick” for regulated companies. He emphasized that deviating from it without a documented rationale could lead to significant penalties, including fines of up to ten percent of turnover for non-compliance.

Key Protections Abandoned

Among the critical protections abandoned by the UK government is the requirement for telecom providers to implement an independent signalling intrusion detection system. This system, ideally supplied by a different vendor, would monitor outgoing traffic for signs of bypassed controls. Such systems are essential for detecting the unique methods employed by the Salt Typhoon campaign, which exploited a network’s signalling infrastructure to extract data.

Additionally, the requirement for telecom companies to treat incoming signalling as untrusted by default has been removed. This change comes at a time when attackers increasingly exploit telecom protocols that assume messages from other networks can be trusted.

The government also eliminated a mandate for monthly restarts of network equipment, a measure designed to eliminate sophisticated memory-only malware that evades detection while systems are operational. Providers argued that a monthly schedule was impractical, leading to revised rules that recommend restarts only when feasible.

Another significant delay involves securing service accounts—automated accounts with extensive permissions that are prime targets for cyber attackers. Originally due for compliance by the end of 2028, the deadline has now been pushed to the end of 2029.

Further measures requiring telecom providers to map vulnerabilities, test defenses, and document external communications have also been postponed. Ofcom’s latest security report indicated that several of Britain’s largest providers were likely to miss implementation deadlines for identity and access management measures, which include service account security.

A One-Sided Calculation

In response to inquiries, a spokesperson for DSIT asserted that the UK possesses one of the strongest telecom security frameworks globally, with clear legal obligations for providers to safeguard public telecom networks. The spokesperson emphasized that the Draft Revised Code of Practice builds upon existing measures while considering industry feedback and the evolving security landscape.

However, the proportionality assessments accompanying the rollbacks reveal a consistent pattern: proposed measures were often discarded or softened following objections from providers regarding costs or practicality. Notably absent from these assessments is an evaluation of the potential costs associated with a successful hostile-state intrusion into UK telecom infrastructure.

Seven of Britain’s largest telecom providers submitted cost estimates in a supplementary survey after the main consultation, but these figures have not been disclosed. Bratby highlighted that the government’s legal framework necessitates a comprehensive accounting of both compliance costs and the potential costs of security incidents.

Martin, now a professor at Oxford’s Blavatnik School of Government, echoed these concerns, emphasizing that evaluations should consider the cost of likely national security damage. The government has previously published assessments estimating that cyberattacks cost the British economy approximately £14.7 billion ($19.7 billion) annually, but no similar analysis was conducted for the telecom sector.

The NCSC’s chief technology officer, Ollie Whitehouse, identified this as a structural issue, noting that cybersecurity investment decisions often overlook downstream costs, which are ultimately borne by customers and society at large.

Martin expressed concern that the cumulative effect of these rollbacks, combined with delays in the Cyber Security and Resilience Bill, could create the impression that the government is prioritizing growth over essential security measures.

Source: therecord.media

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.