# UK Weakens Telecom Cybersecurity Protections Amid Industry Pressure Britain has reportedly diluted critical cybersecurity protections for its telecommunications networks, measures initially conceived in direct response to the **Salt Typhoon** espionage campaign. Documents reviewed by Recorded Future News indicate that this rollback came after telecom companies lobbied against the proposed requirements, citing cost and practicality concerns. While neither the British government nor the telecom industry has confirmed compromises within UK networks by the China-linked **Salt Typhoon** campaign, the **National Cyber Security Centre (NCSC)** previously stated that Chinese hackers globally "targeted organisations in critical sectors," with a "cluster of activity observed in the UK." ## A Broader Tension in National Security This decision highlights a recurring tension described by Western security and intelligence officials: an industry that seeks government assistance against state-backed hackers but then resists the necessary access and obligations required for effective defense. A senior official from a NATO ally recounted a scenario where a large telecom company requested help against suspected Chinese hackers, only to refuse network access to the assisting agency. Historically, this wasn't the case. **Ciaran Martin**, founder of the **NCSC**, noted that when the telecoms security framework was first developed, industry executives actively sought regulation, viewing it as a legal mandate to justify security investments to shareholders. ## The Genesis of the New Measures The now-weakened cybersecurity measures were initially proposed last August by the **Department for Science, Innovation and Technology (DSIT)**. They formed part of a consultation for an updated code of practice governing how telecom providers must secure their networks. The initiative was launched in response to state-linked attacks on U.S. telecoms networks, which came to light after the **Salt Typhoon** incidents. Companies including **BT**, **VMO2**, **VodafoneThree**, **Sky**, **Ericsson**, and **Amazon Web Services** submitted responses to the consultation. **TechUK**, the industry trade body, coordinated a collective submission. While **TechUK** stated its active involvement in the Code's development, asserting the framework was "appropriate, proportionate, and technically workable," none of the businesses provided a statement by the time of publication. When the government responded to the consultation last week, many of its most significant measures were either dropped or delayed. These rollbacks, previously unreported, are set to take effect in mid-July unless opposed by Parliament. The Code is issued under the **Telecommunications (Security) Act 2021**, which mandates providers to implement appropriate and proportionate security measures. Though guidance rather than direct law, **Rob Bratby**, managing partner of **Bratby Law**, explains it serves as a critical "yardstick." Deviating without defensible reason, he notes, could lead to fines of up to ten percent of turnover. ## Key Protections Abandoned or Delayed Several crucial protections have been either abandoned or pushed back: * **Independent Signalling Intrusion Detection Systems:** A requirement for providers to deploy a separate system – ideally from a different vendor – to monitor outgoing traffic for bypassed controls was dropped. These systems were designed to detect the data siphoning methods characteristic of the **Salt Typhoon** campaign, which impacted over 80 countries. * **Untrusted Incoming Signalling:** The mandate for telecom companies to treat incoming signalling as untrusted by default was also removed. Attackers frequently exploit telecoms protocols that assume messages from other networks are trustworthy. * **Monthly Network Equipment Restarts:** A requirement to restart network equipment monthly, designed to wipe sophisticated memory-only malware, was deemed unworkable by providers. The revised rules now only recommend restarts "where feasible." * **Service Account Security:** Requirements to secure service accounts – automated background accounts with broad access, identified by the government as a "prime target for compromise" – have been pushed from the end of 2028 to the end of 2029. * **Vulnerability Mapping and Defense Testing:** Measures requiring providers to map their vulnerabilities, test their defenses, and document system communication with the outside world have also been similarly delayed. **Ofcom's** December 2025 security report had already indicated that some of Britain's largest providers were likely to miss existing deadlines for identity and access management measures, an area that includes service account security. **Rob Bratby** expressed concern over the service account delay, stating it's hard to reconcile with the government's own threat assessment. "Service accounts are precisely where a capable attacker wants to be... and the government says as much in its response." ## A One-Sided Proportionality Calculation Responding to Recorded Future News, a **DSIT** spokesperson stated, "The UK already has one of the strongest telecoms security frameworks in the world... We’ve worked closely with the **NCSC** to ensure industry feedback is considered... alongside the changing security threat, and the cost and practicalities of putting these new guidance measures in place." However, the proportionality assessments for each rollback consistently followed a pattern: a measure was proposed, providers objected to its cost or practicality, and the measure was subsequently dropped, softened, or delayed. Crucially, none of the published assessments factored in the potential cost of a successful hostile-state intrusion into UK telecoms infrastructure. Seven of Britain's largest providers submitted confidential cost estimates in a supplementary survey, which have not been published. **Rob Bratby** argued that the government's legal standard requires a more comprehensive accounting. "A proportionality exercise that counts only what compliance costs industry, and not what an incident would cost the country, is incomplete on its own terms." **Ciaran Martin**, now a professor at Oxford's **Blavatnik School of Government**, echoed these concerns: "You're supposed to evaluate these measures against the cost of likely national security damage. What are you measuring it against otherwise?" While the government has previously published such assessments for other legislation – estimating cyberattacks cost the British economy £14.7 billion ($19.7 billion) annually to support the **Cyber Security and Resilience Bill** – no equivalent analysis was produced for the telecoms sector. **Ollie Whitehouse**, **NCSC's** chief technology officer, had previously identified this as a systemic issue in a June 2025 blog post. He argued that cybersecurity investment decisions often underweight downstream costs because these costs are borne by customers and the public, not the companies making the initial investment. "The cost of underinvestment in cyber security is ultimately borne not by the vendors, but downstream by customers, insurers, the government and wider society," he wrote. While some rollbacks could be explained as the normal consultation process, with industry demonstrating alternative compliance methods, the scale of the changes and the lack of a comprehensive cost-benefit analysis raise significant concerns about the UK's preparedness against sophisticated state-backed cyber threats.