Telecoms.com periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece Matias Madou, Co-Founder & CTO of Secure Code Warrior, looks at the implications of a new piece of UK, telecoms-specific legislation.
The Telecoms Security Bill, which seeks to introduce a new security framework for the UK telecoms sector, is currently being passed through the UK parliament. The bill aims to ensure that public telecommunications providers operate secure and resilient networks and services, and manage their supply chains appropriately.
Telecoms, like many other industries, have relied on a reactive approach to security for far too long, and while the new rules introduced by the bill don’t prioritise a grass-roots approach to security led by secure coding, it does introduce a series of tests to ensure providers are meeting government standards. So, what exactly does the bill mean, and how are these new rules going to ensure that security risks and compromises are minimised in the sector?
Raising security standards, across the board
To put it simply, the Telecoms Security Bill aims to empower the government to boost the security standards of the UK’s telecoms networks, whilst removing the threat of high-risk vendors. These measures include new controls on the use of Huawei 5G equipment, for example, including a ban on the purchase of new Huawei equipment from the end of this year, and a pledge to remove all Huawei equipment from 5G networks altogether by 2027.
Another key change is around penetration testing, or “pen-testing” – under the new regulations, telecom providers will be required to pen-test their networks annually. Although many providers already test their networks regularly, the new security framework will make the practice compulsory. In order to the understand the potential impact of the bill, we need to drill down into what pen-testing actually and why it’s so essential for the industry.
Compulsory annual pen-testing
Pen-testing is a security technique designed to identify, test and flag vulnerabilities in IT systems. This is done by allowing “ethical hackers” to simulate cyberattacks to test the security of a computer system, website, network or application. Creating a simulation helps to identify vulnerable entry points into a company’s IT infrastructure and test the strength of security networks against possible real-life scenarios by mimicking methods used by hackers.
From code through to network, it is an important exercise for businesses to put their security infrastructure through its paces, using a process that is unique to each IT system and its structure. By using a tailored approach, organisations will see vulnerabilities before hackers exploit them – a benefit for both security teams and customers using the network. Although regular pen-testing has only just become mandatory, Markets and Markets recently reported that penetration testing remains on track to become a $4.5 billion industry by 2025. By making pen-testing a law as part of the proposed telecoms bill, failure to comply would mean substantial fines for organisations (up to 10% of revenue turnover).
While pen-testing forms an integral part of securing telecoms networks, it is important to note that it’s not an instant fix for any organisation’s security offering. A successful pen-test heavily relies on the tester’s level of experience – if the professional hacker is unfamiliar with a particular IT system or application, for instance, organisations can’t be sure their infrastructure has been truly tested. Pen-testing is not a full security audit and shouldn’t hold the same weight as one. Additionally, it is often the case that security teams are poised and ready to react when pen-testing is underway, which is not representative of a real cyberattack, whereby the security breach is often unexpected.
A spotlight on secure code
A more efficient way to maximise telecoms security which doesn’t feature in the proposed government bill is secure coding. If the developers responsible for the code creation behind telecoms networks were properly trained and more security-aware, a lot of issues would be nipped in the bud.
Many companies and government bodies who are looking to build more robust security programs that stay in step with key security developments are already investigating a more preventative approach, however, it is imperative that the people factor is a key consideration in any defensive security plans. Investing in security-conscious developers in the first instance saves businesses the headache of dealing with security lapses retrospectively, as vulnerabilities are eliminated from the beginning of the software development journey.
Overall, the new regulations forming the Telecoms Security Bill are a positive move for the industry. With pen-testing becoming compulsory, more vulnerabilities will be highlighted and telecoms networks will become more secure by default. However, it is important to use pen-testing in conjunction with other security methods, such as upskilling developers in security from the start, in order to ensure the most secure outcome.
Matias Madou is the current the CTO and co-founder of Secure Code Warrior. He is a researcher and developer with more than 15 years of hands-on software security experience. Over his career, Madou has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, he has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DEFCON, BSIMM, OWASP AppSec, and BruCon. Madou holds a Ph.D. in computer engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.