5G networks have now been delivered by more than 200 operators, spanning 83 countries globally. The technology offers improved performance over earlier network technologies. Download and upload speeds are faster, and it can support a greater number of devices in one location with better reliability and connectivity. That said, if you have a 5G handset today, you would be mistaken for thinking that the only thing it offers is “more of the same, but faster” says Filip Verloy, field CTO, Noname Security.
However, 5G has the potential to enable new types of applications and digital services which will accelerate telcos’ digital transformation initiatives. Nevertheless, there are regulatory and security implications that still need to be addressed.
5.5 billion mobile devices around the world
The mobile industry has a vested interest in ensuring the highest levels of security. According to GSMA (Global System for Mobile communications Association), there are around 5.5 billion mobile device users worldwide, plus nearly three billion cellular IoT (internet of things) connections, and how consumers use their devices is constantly evolving. With consumers relying on digital services across every aspect of their lives, the telco industry is facing increased demand for mobile applications in the payments, transport ticketing, and identity management spaces, to name a few.
Given the sensitive data these applications run, the telco industry must have the appropriate security mechanisms in place to protect users and enable the market to reach its full potential.
However, the sector is being hampered by a fragmented approach to regulations. There is a lot of confusion around regulations, with some saying there is too much governance. This results in consolidation attempts, which even the regulators recognise as an issue. The legislative framework is complex and national legislation even more so, which has led to legal uncertainty and fragmentation due to differing security standards across the European Union. National authorities have powers, but few resources. Naturally, there are concerns about the scarcity of resources and lack of expertise.
These issues are paving the way for malicious actors to find weaknesses in flawed technology. With such an abundance of consumer data, telcos are a much sought-after target. The way in which telcos operate, i.e., with distributed technology stacks and high levels of outsourcing, leaves their defensive capabilities vulnerable.
Furthermore, telcos rely on a process-driven approach, leaving them open to social engineering attacks.
A new international framework for telcos
Aware of the many challenges, the EU’s telecom security legislation has started to change in recent years, as it looks to promote more cooperation and a consistent interoperable security framework and standards. The Telecoms Security Act 2021 has led to most EU countries introducing new security rules for 5G networks with minimum security requirements and restrictions on high-risk vendors. This includes security audits, vulnerability assessments, incident response plans, and regular security updates to protect against cyber threats and ensure the resilience of 5G networks.
Governments are also encouraging information sharing and cooperation between industry stakeholders, regulators, and security agencies to enhance situational awareness, facilitate threat intelligence sharing, and foster collaborative efforts in addressing emerging security threats. These efforts aim to ensure global consistency and minimise vulnerabilities in global telco infrastructure. Specifically, the Telecom Framework Directive has successfully contributed to higher levels of cybersecurity and a risk management culture across the industry.
Additionally, ETNO, an association representing Europe’s telecom operators, has proposed measures for a high, common level of cybersecurity of networks and information systems. ETNO (European Telecommunications Network Operators) believes that the existing NIS2 Directive provides an opportunity to achieve a coherent framework for network and service security in the telecom sector that streamlines the existing landscape of European and national legislation.
To this end, it is imperative that national regulators ensure clear and proportionate risk management and incident reporting obligations, as well as sensible oversight and enforcement systems. This builds on the telco sector’s long-standing experience in protecting the integrity of crucial infrastructures.
Protection against foreign investment
Additionally, many countries have introduced or strengthened national security review mechanisms to assess and mitigate risks associated with foreign investment in critical telco infrastructure. These reviews aim to safeguard national security interests and protect against potential threats posed by foreign actors. Likewise, given the significance of telecom equipment vendors in the 5G ecosystem, governments have increased scrutiny of vendors and their supply chains. Some countries have implemented rigorous security assessments for vendors to ensure the integrity and trustworthiness of their products and services.
Nevertheless, supply chains are becoming more complex and global, with a multitude of actors involved. With the shift to 5G and to a virtualised, software-defined and cloud-based infrastructure, telcos are increasingly dependent on ICT services, software, which means that the role of the service providers in determining the resilience of digital infrastructure is essential. This needs to translate into a more effective allocation of responsibility for risk management of the networks and IT systems of key sectors, since ICT providers are best placed to analyse and mitigate the security risks in their own products and services.
As a result, the decision has been made to expand the scope of NIS2 (network and information security) obligations to ICT service management including managed service providers and managed security service providers. This marks a positive step by introducing direct risk management and reporting obligations upon these key providers.
Security technology challenges
The security challenges for telcos are significant. They are dealing with 5G upgrades from the core to the edge which means a lot of API (application programming interface) architecture is being introduced; this again changes the attack surface. Telcos need to invest in protection for this new attack surface or be left unguarded. Telco environments are typically edge based and very latency sensitive, so they need to strike a balance between security and performance.
Moving forward, new encryption and privacy legislation may address the encryption requirements for 5G networks and emphasise the protection of user privacy. This could include provisions for secure communication channels, encryption standards, and guidelines to ensure data protection and privacy rights of users.
Additionally, the GSMA’s new API initiative, announced at Mobile World Congress earlier this year, is good news. This initiative is being launched with support from 21 carriers, with the aim of changing the way the telco industry designs and delivers services in a software-based API economy. The move will allow developers to access and use a variety of mobile network services like location or identity verification and carrier billing, in a simpler, more cost-effective way.
Without a doubt, 5G offers an exciting future, but as telcos work to leverage the opportunities to build better customer experiences, they are also navigating emerging regulations, forcing them to reassess cybersecurity and risk management in the 5G era. It will be critical for telcos to strike the right balance.
The author is Filip Verloy, field CTO, Noname Security.
Comment on this article below or via Twitter: @VanillaPlus OR @jcvplus
