What happened
The United Kingdom weakened proposed cybersecurity protections for telecoms networks that were developed in response to the Salt Typhoon espionage campaign, after telecom and technology companies pushed back on cost and practicality concerns.
The proposed measures were introduced in August by the Department for Science, Innovation and Technology as part of a consultation on an updated code of practice for telecom providers. The consultation was launched after state-linked attacks on U.S. telecoms networks came to light.
The British government and the telecommunications industry have not confirmed whether the China-linked Salt Typhoon campaign compromised networks in the United Kingdom. The National Cyber Security Centre has said Chinese hackers targeted organizations in critical sectors globally, including a cluster of activity observed in the UK.
Several major companies and industry groups submitted responses to the consultation, including BT, VMO2, VodafoneThree, Sky, Ericsson, Amazon Web Services, and TechUK. When the government responded to the consultation, many of the most significant proposed measures were dropped or delayed. The weakened code will take effect in mid-July unless either House of Parliament resolves against it.
One dropped measure would have required providers to deploy an independent signalling intrusion detection system separate from existing controls such as signalling firewalls. The system was intended to monitor outgoing traffic for signs that existing controls had been bypassed. That control was relevant because Salt Typhoon used telecom signalling infrastructure to siphon data.
The government also dropped a requirement for telecom companies to treat incoming signalling as untrusted by default. Attackers have increasingly exploited telecoms protocols built on the assumption that messages from other networks can be trusted.
Another removed requirement would have forced providers to restart network equipment every month. The goal was to clear sophisticated memory-only malware that does not leave traces on disk and cannot be detected while a system is running. Providers told the government that monthly restarts were unworkable, and the revised rules now recommend restarts only where feasible.
The timeline for securing service accounts was also pushed back. Telecom systems rely on automated background accounts with broad access permissions to run core functions, and government documents describe those accounts as a prime target for threat actors. The requirement to secure them, originally due by the end of 2028, has been delayed to the end of 2029.
Other measures requiring providers to map vulnerabilities, test defenses, and document how their systems communicate with the outside world have also been delayed.
Who is affected
UK telecom providers are directly affected by the weakened code of practice and delayed implementation timelines. The changes also affect customers, businesses, and public services that depend on telecom networks for communications and digital operations.
Critical infrastructure sectors may also be affected because telecom networks support essential services, emergency communications, government functions, and business connectivity. If telecom providers delay controls around signalling, service accounts, vulnerability mapping, and defensive testing, the exposure is not limited to the providers themselves. It can extend to the organizations and people that rely on those networks.
Why CISOs should care
This development highlights the tension between cybersecurity obligations and operational cost in critical infrastructure. Telecom providers pushed back on measures they considered costly or impractical, and the government dropped, softened, or delayed several proposed controls. For CISOs, the lesson is that regulatory security requirements can weaken when implementation costs are weighed without a full accounting of national or downstream risk.
The specific controls involved are also important. Independent signalling intrusion detection, treating incoming signalling as untrusted, securing service accounts, mapping vulnerabilities, testing defenses, and documenting external communications are not abstract compliance measures. They are practical controls tied to how sophisticated attackers operate inside telecom environments.
The delay around service accounts is especially relevant. These accounts often carry standing privileged access and support core system functions. If they remain weakly controlled, they can provide attackers with durable access to critical infrastructure systems.
3 practical actions
- Assess critical service accounts as high-priority privileged identities: The revised UK telecom code delays requirements for securing service accounts until the end of 2029, despite government documents describing them as prime targets for threat actors. CISOs should inventory service accounts, remove unnecessary privileges, rotate credentials, and monitor their use as part of privileged access management.
- Review whether trusted network assumptions still hold: The dropped requirement to treat incoming signalling as untrusted reflects a broader issue with legacy protocols and inherited trust relationships. Security teams should identify systems that trust external messages, partners, or connected networks by default and evaluate whether additional validation, segmentation, or monitoring is needed.
- Document critical communications paths and test defensive controls: Some delayed measures would have required providers to map vulnerabilities, test defenses, and document how systems communicate with the outside world. Organizations should not wait for regulation to require this work. CISOs should map external communications, test detection and response controls, and validate whether critical systems can withstand compromise attempts.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.