Telecoms.com periodically invites expert third parties to share their views on the industry’s most pressing issues. In this piece Rob Marson, Head of CNS Business Applications Strategy at Nokia, guides us through the current regulatory minefield.
If there’s anything we’ve learned in the last several years, it’s that 5G security is imperative and crucial for the protection of any organization – most importantly, communication service providers (CSPs). Without it, they risk costly breaches worth millions of dollars, damaging your reputation, losing customers, and exposing your most sensitive business data.
Yet, how does one prepare for the unpredictable? The uncontrollable? By carefully observing past security trends, CSPs can crack the code and discover how to be best equipped for the future.
Networks deployed in the 5G era are software in nature – meaning they are exposed to more types of attacks and cyberattacks no longer have to be specialized. In layman’s terms, one does not need to be a telco expert to attack a container.
Without a rule book, threats such as ransomware aren’t going away anytime soon. Unfortunately, neither are the security trends we saw this past year, including the security skills shortage, nation-state supply chain attacks, new technology (Web3 and IoT), insider threats, and more.
Risk exists everywhere. This is causing many CSP CISOs to have sleepless nights as they’re in a constant state of worry about how they can ensure their organization’s critical infrastructure is secure. And not only that – but how to quickly detect and respond to threats as they happen.
On top of that, governments worldwide have wildly different compliance and security regulations. So, how does a large operator with many jurisdictions ensure compliance in the rapidly evolving 5G security landscape? That is the million-dollar question.
The unplanned 5G security trend: Differing security regulations
Security threats evolve and adapt, but regulations and policies play a big role in 5G security worldwide and have the power to influence the standards put in place. Governments will engage with standards organizations, such as NIST, CISA, ETSI, ITU, TSSR, 3GPP and more, to support the inclusion of needs and ideas in emerging 5G standards.
Many governments have established a regulatory framework to better manage national security risks relating to critical infrastructure. If a large operator has parts of their business in different countries, knowing when those standards and frameworks have changed will be critical to ensure the needs of 5G services are met, and customer expectations aren’t disrupted.
Examples of government security regulations:
- United Kingdom: Telecommunications Security Act 2021 (‘the TSA’) – A new security framework for providers of UK Public Electronic Communications Networks and Services.
- United States: Executive Order (EO) 14028 (May 12, 2021): Improving the Nation’s Cybersecurity – Requires service providers to share cyber incident and threat information and more.
- Australia: The Telecommunication and Other Legislation Act 2017 – an established regulatory framework to better manage the national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities.
Why the sudden surge in regulations?
As more countries implement 5G, the number of cyber attacks on mobile networks continues to grow. The openness of 5G is not new news – but the increase in expectations from government policymakers is something all CSPs must now consider. In an effort to reduce the number of cyber attacks, especially on mobile networks and IoT devices, many governments have or will develop a unified standard framework that both CSPs and enterprises must follow.
In 2022, Gartner predicts that through 2025, 30% of nation-states are likely to pass legislation that regulates ransomware payments, fines, and negotiations. We’ve already begun to see this come into play with CSP data breaches. They no longer must just recoup the cost of the breach itself, but now government agencies will determine if they were in compliance with local regulations. If not, civil penalties through the federal court may be pursued, leading to unanticipated fines and additional costs.
Additionally, Gartner predicts that through 2023, government regulations requiring organizations to provide consumer privacy rights will cover 5 billion citizens and more than 70% of the global GDP. As government regulations begin to tighten from country to country, having the right security measures and partners in place is imperative to avoid costly mistakes.
Three steps to ensure security compliance
Partnering with a 5G security expert who can provide guidance is the best way to ensure one’s 5G security follows regulations and compliance requirements. To gain visibility into your 5G security posture, CSPs need to sense, think, and act.
- Sense – CSPs need better observability of their security posture. Observability is the evolution of monitoring in the cloud native era. As networks and applications become disaggregated, traditional monitoring is insufficient to establish context between resources and services spread across different networks and infrastructures. Containerized microservices are not isolated entities. As the number of network components grows, so does the number of interconnections—and the data produced by those communication events. The result is an exponential increase in the number of interactions that need to be tracked to make sense of what’s happening in the environment.
Observability is also required to maintain a secure posture. Cloud platforms are rife with misconfigurations that are regularly exploited. Developers using network-as-code tools simply lack the cybersecurity expertise required to ensure that cloud application environments are secure. It’s up to the CSP or cloud provider cybersecurity team to ensure that the policies and safeguards developed to protect cloud platforms are observed, particularly regarding APIs. But with multi-cloud computing and cloud-native applications, the attack surfaces are constantly increasing—both in terms of the number of platforms used, and the types of applications being deployed. By collecting and contextualizing data, it will allow you to gather context on your current security measures. Understanding what’s currently in place and where the gaps are will allow you to identify the best course of action to better secure the critical infrastructure to avoid a data breach.
- Think – With observability in place, CSPs can more effectively leverage AI/ML to drive automation to predict threats better using algorithms that enable use cases to go beyond the limitations set by rule-based detection of security-affecting issues. Furthermore, with a contextual understanding of the relationships between different entities, security teams will not only be better positioned to detect security incidents but also understand how the vulnerability of one system affects interdependent systems.
- Act – Finally, automation is the key and can significantly reduce the average time to identify and respond to a data breach to lower the average breach cost. Automation-enhanced incident response playbooks can quickly reduce dwell times once vulnerabilities or threats are detected and can be proactively executed to maintain the strongest security posture. Automation tools can also help security experts immediately monitor business impact to ensure business continuity with threat management and resiliency.
In 2023, better aligning your 5G security plan with cybersecurity compliance and data privacy regulations will help keep your organization, its data, and its customers secure against data breaches and other cyber threats. However, location-based cybersecurity compliance and industry-based cybersecurity regulations can be confusing and leave you exposed. Ensuring you have the right partner with 5G specialized security products and expertise to help you ensure your 5G security practices remain compliant to keep you and your customers safe.
Rob Marson heads Portfolio Operations & Solutions for Business Applications. within Nokia’s Cloud and Network Services Business unit. Rob and his team are leading new approaches to software-driven value creation and ecosystem enablement including a new initiative called Nokia IGNITE, which focuses on accelerating innovation through collaboration with complementary partners and customers. It standardizes and scales our approach towards collaboration and is part of our overall technology leadership strategy leveraging open digital architectures, capability exposure through APIs and new business models. This builds on concepts Rob launched while part of Nokia’s Emerging Products Unit in the Nokia Optical Networking business group. Previously, Rob was head of strategy for Nokia’s cybersecurity product unit within the Nokia Software business group. In this role, he was responsible for portfolio and strategic marketing, market assessment, launches and marketing strategies in support of new business development and expansion. Rob joined Nokia via its acquisition of Nakina Systems where he was Vice President of marketing and strategy. As part of the executive team Rob directed the company to its successful acquisition by Nokia. He has previously held senior management positions at a number of market-leading public technology companies.