Don't worry about the government?
2023 is going to be another busy year for telecom security. Last year, the ramping up of geopolitical tensions in Eastern Europe, the Middle East and Southeast Asia saw an elevated level of cyberthreats targeting telcos from nation-state threat actors affiliated with Iran, Russia and China.
Government abuses of NSO spyware continue to surface, as does new evidence of other vendors like Tykelab selling similar products. In the best-case scenario, the threat level from nation-state threat actors targeting and abusing the telecom sector will remain elevated throughout 2023. In the worst case, it will get even worse. And that's without even mentioning the threat from regular criminal cybergangs.
Some governments, legislatures and regulators have seen enough. In one sense, 2023 is year zero for telco security operations in the UK. The Telecommunications (Security) Act was passed at the end of 2021. Still, the accompanying Code of Practice – in all its 100-plus pages of granular detail – was due to be finalized at the end of last year. Ofcom can now issue penalties of up to 10% of turnover for any UK telco failing to comply. Momentum varies between and within regions but as a general global trend, politicians and regulators that haven't already tired of laissez-faire in telecom security are starting to tire of it.
Did banning Huawei help?
The tragicomedy of T-Mobile's umpteen data breaches in the US and the small political earthquake triggered by the Optus breach in Australia at the end of last year have shown that the enterprise IT side of the telco house continues to be at least as vulnerable as the telecom or operational technology (OT) side.
Even on the OT side, the fact that so many telco boards and management teams still permit themselves to avoid spending on basic network security like Gi/SGi and SS7/Diameter firewalls shows that neither corporate governance nor regulatory oversight of the telecom sector is where they need to be. Unless it's just one part of a far-reaching upgrade of cybersecurity people, processes and technology throughout a telco organization, does anyone still believe that banning Huawei is anything more than a placebo?
While telcos have generally done better at protecting their telecom domain, they're staring down the barrel of new risk with the introduction of cloud native 5G standalone (5G SA) networks. Every part of a cloud native automated CI/CD pipeline is open to abuse that has to be protected against. Assuring the security of open source software is just one. Sure, automation reduces a lot of risks. But it introduces plenty of unfamiliar new risks too. Most telcos have yet to learn how to defend themselves and their customers against this properly. They're even further away from operationalizing those learnings effectively at scale.
In a parting blog on his last day at the UK's National Cyber Security Centre (NCSC) at the end of last year, Technical Director, Ian Levy, who led the testing of Huawei products, was scathing in his assessment of the GSMA's NESAS scheme. Lamenting it as providing little more than tick-box compliance, Levy stated that NESAS "provides no useful information to end users of the equipment to make risk management decisions." Yes, Levy is a global leader.
And as such, he is ahead of the game and highly demanding. And yes, the GSMA has made and continues to make progress with NESAS. But Levy's parting shot is an important pointer as to just how far the telecom sector is from where it needs to be from a security standpoint.
Nokia vs. Ericsson
I'm optimistic that 2023 will see more security innovation from telecom networking vendors. Among smaller players, NetQuest Corporation showed the way at the end of 2022 with its differentiated Network Security Broker (NSB). This is tailored to fine-grained filtering of those streams and packets that a telco SOC needs to see from those it doesn't – at the telecom scale.
At the turn of the new year, I'd give Nokia an edge over Ericsson in terms of the momentum they each have with their products for telco SOC operations.
Nokia's own Security Incident and Event Management (SIEM) platform was originally featured under the hood of its NetGuard Cybersecurity Dome. It has now been swapped out for Microsoft's 'Sentinel' SIEM platform - a good move. The messaging around NetGuard XDR also suggests that before long, Nokia will add agent-based detection to network-based detection for sharper differentiation against the CrowdStrikes and Cybereasons of this world. Ericsson's touting of its Ericsson Security Manager (ESM) has been more low key, although the announcement of Vodafone Turkey as a new customer at the end of last year suggests investment and sales are ongoing into 2023.
All these factors provide the context in which telcos will execute current security strategies and devise new ones in the coming year. They are – or at least they want to be – on a path to potentially serving and securing whole swathes of Internet-connected critical infrastructure. That's a very big step up in societal dependency from securing smartphones, laptops and some general purpose IoT 'things.' Moreover, telcos need to do this with technologies, operating models and open, distributed architectures that are significantly unfamiliar to them.
It really shouldn't take regulatory intervention to drive telcos to up their game in cybersecurity throughout their organizations to meet these goals – but in too many cases, it probably will.
— Patrick Donegan, Principal Analyst, HardenStance