UK weakens proposed telecoms defenses against Chinese hackers after industry pushback

Britain has weakened proposed cybersecurity protections for its telecoms networks that were developed in response to the Salt Typhoon espionage campaign, after the companies responsible for implementing the measures lobbied against cost and practicality, according to documents reviewed by Recorded Future News.

Neither the British government nor the telecommunications industry has confirmed whether the China-linked Salt Typhoon campaign compromised networks in the United Kingdom. The National Cyber Security Centre (NCSC) has said Chinese hackers “targeted organisations in critical sectors” globally, including “a cluster of activity observed in the UK.”

The decision to roll back protections reflects a broader tension that multiple Western security and intelligence officials have described to Recorded Future News: a sector that says it wants government help defending against state-backed hackers but then resists the access and obligations that effective defense demands.

In one case, a senior official for a NATO ally recalled a meeting with representatives from a large telecom company that asked for assistance against suspected Chinese hackers. When the agency sought access to the company's network, the company refused.

That tension wasn’t historically a feature of the industry’s relationship with the British government. Ciaran Martin, who founded the NCSC and oversaw the development of the telecoms security framework before leaving government in 2020, said telecom executives had at that time asked to be regulated, arguing they needed a legal compulsion to justify security investments to shareholders.

The new cybersecurity measures were proposed last August by the Department for Science, Innovation and Technology (DSIT) as part of a consultation for an updated code of practice governing how telecom providers must secure their networks. It was launched in response to what DSIT described as state-linked attacks on U.S. telecoms networks after the Salt Typhoon attacks first came to light.

BT, VMO2, VodafoneThree, Sky, Ericsson and Amazon Web Services were among the businesses who submitted responses. TechUK, the industry trade body, coordinated a collective submission through its Telecoms Security and Diversification Working Group. Recorded Future News reached out to these organizations, but none of the businesses provided a statement by the time of publication.

TechUK, whose members include the companies that lobbied against the measures, said it had been “actively involved throughout” the Code's development and that the framework was “appropriate, proportionate, and technically workable in practice.” 

When the government responded to the consultation last week, many of its most significant measures were dropped or delayed. The rollbacks have not previously been reported. The weakened code will take effect in mid-July unless either House of Parliament resolves against it.

The Code is issued under the Telecommunications (Security) Act 2021, which requires providers to take appropriate and proportionate security measures. Although technically guidance rather than directly enforceable law, Rob Bratby, managing partner of Bratby Law which advises telecoms operators, said it provides a “yardstick” that regulated companies are measured against.

“Departing from it without a documented and defensible reason is exactly what gets a provider into difficulty on the underlying statutory duty,” he said, noting operators could be fined up to ten percent of turnover if found to have fallen short.

What was dropped

Among the protections Britain has now abandoned is a requirement for providers to deploy an independent signalling intrusion detection system — separate from existing controls such as signalling firewalls, and ideally supplied by a different vendor — to monitor outgoing traffic for evidence that those controls had already been bypassed. 

These systems are intended to catch one of the defining characteristics of the Salt Typhoon campaign, which impacted more than 80 countries, using a network's own signalling infrastructure to siphon data away.

Also dropped was a requirement for telecoms companies to treat incoming signalling as untrusted by default, as attackers increasingly exploit telecoms protocols built on the assumption that messages from other networks can be trusted.

The government also removed a requirement to restart network equipment every month. This would wipe away sophisticated memory-only malware that leaves no trace on disk and cannot be detected while a system is running, but does not survive a reboot. Providers told the government a monthly schedule was unworkable. The revised rules recommend restarts only where feasible.

Telecoms systems rely on service accounts — automated background accounts with broad access permissions to run core functions — which the government's own documents describe as “a prime target for compromise by threat actors.” Requirements to secure those accounts, originally due by the end of 2028, have been pushed to the end of 2029.

Further measures requiring providers to map their own vulnerabilities, test their defences and document how their systems communicate with the outside world have been similarly delayed.

Ofcom's most recent security report, published in December 2025, found that some of Britain's largest providers were already likely to miss implementation deadlines for measures around identity and access management — the broader category that includes service account security, and one of the areas the delayed measures were designed to address. The same report said Ofcom had been working closely with DSIT and the NCSC on the response to Salt Typhoon.

Bratby told Recorded Future News the service account delay was hard to reconcile with the government's own threat assessment: “Service accounts are precisely where a capable attacker wants to be, because they carry standing privileged access, and the government says as much in its response.”

He said the government’s decision to push back the date by which it expects these accounts to be secured “does mean a known and actively exploited weakness stays open for another three and a half years, and that is hard to square with the urgency the threat assessment describes.”

A one-sided calculation

Responding to Recorded Future News, a spokesperson for DSIT said: “The UK already has one of the strongest telecoms security frameworks in the world, with clear legal duties and requirements on providers to protect our public telecoms networks and services.”

“The Draft Revised Code of Practice builds on this with a substantial set of new guidance measures, in addition to those already in the Code. We’ve worked closely with the NCSC to ensure industry feedback is considered in this update, alongside the changing security threat, and the cost and practicalities of putting these new guidance measures in place.”

Across the consultation documents, however, the proportionality assessment for each rollback follows the same pattern: a measure was proposed, providers objected to its cost or practicality, and the measure was dropped, softened or delayed. None of the published assessments account for the cost of a successful hostile-state intrusion into UK telecoms infrastructure.

Seven of Britain's largest providers submitted cost estimates in a supplementary survey after the main consultation closed. Those figures have also not been published.

Bratby said the government's legal standard required more than a one-sided accounting. “A proportionality exercise that counts only what compliance costs industry, and not what an incident would cost the country, is incomplete on its own terms.”

Martin, now a professor at Oxford's Blavatnik School of Government, echoed those concerns. “You're supposed to evaluate these measures against the cost of likely national security damage,” he said. “What are you measuring it against otherwise?”

The government has in other circumstances published such assessments. Three weeks after the telecoms consultation closed, DSIT published independent research estimating cyberattacks cost the British economy £14.7 billion ($19.7 billion) annually. The figure came from research commissioned to support the proportionality case for a separate piece of legislation, the Cyber Security and Resilience Bill.

That work had been developed while the government was preparing its telecoms consultation, and was published on the day the Cyber Security and Resilience Bill was introduced to Parliament. No equivalent analysis was produced for the telecoms sector.

The NCSC’s chief technology officer, Ollie Whitehouse, had identified this as a structural problem three months before the consultation opened. In a June 2025 blog post, Whitehouse argued that cybersecurity investment decisions systematically underweight downstream costs because those costs fall not on the companies making the decisions but on their customers and the public.

“The cost of underinvestment in cyber security is ultimately borne not by the vendors, but downstream by customers, insurers, the government and wider society,” he wrote.

Martin told Recorded Future News that some of the rollbacks were plausibly explicable as the consultation process working normally — industry demonstrating it was already meeting a requirement by an alternative method. But he said the cumulative picture was concerning.

“Added to the delays on the Cyber Security and Resilience Bill, this could give the impression — however inadvertent — that the government is trimming important details at the margins of security regulations out of a misguided sense that it is somehow pro-growth,” he said. “The government needs to be careful that impression doesn't fester.”