Changing telco security for the better
How new legislation is challenging telco firms to radically improve their security
Our national infrastructure is at risk. Unless you are involved in the telco industry, you may be blissfully unaware of a lengthy UK parliamentary process that has been quietly underway since 2017 - one that promises to radically change how telecom operators design and operate our national telecommunications infrastructure.
Gartner predicts that by 2025, “30% of critical infrastructure organisations will experience a security breach” that will result in an outage of a mission-critical system. The UK government are getting tough on telecoms providers, requiring them to redesign their networks; patch their systems every 14 days; have extensive proactive monitoring and embrace modern practices such as automation, infrastructure-as-code, and cloud-native application design.
Enter…The Telecommunications (Security) Act
The Telecommunications (Security) Act became UK law in November 2021, imposing strengthened security requirements on telecoms providers and granting the UK communications regulator, Ofcom, new powers to ensure compliance.
In the words of Julia Lopez MP, Minister of State for Media, telco providers “need the right incentives to prioritise security within their day-to-day business operations and long-term investment plans”.
The investment will undoubtedly be high, but nothing compared to the cost of non-compliance – in the worst-case scenario, providers could be liable to a fine of up to £10,000,000 (and potentially £50,000 per day). It is no surprise to hear then that tier-1 providers find themselves suitably “incentivised” to begin planning seven-figure, multi-year transformation programmes.
Scope
The six key areas covered by the Act and its supplementary regulations include:
Network security: redesigning networks so they are more secure, stopping any would-be attack on one part of the network from affecting another.
Infrastructure as code: operational practices should be automated wherever possible, with any manual administration creating an alert.
Security patching: patches must be implemented within 14 days, and services relating to network oversight functions rebuilt every 24 months – including both the operating system and app software.
Observability: providers must automate monitoring and analysis of security critical functions, ensuring that all data is held securely for at least 13 months.
Supply chain: there is a marked change in how providers select, manage and work with any third parties. They will be expected to retain sufficient in-house expertise to re-tender their managed services arrangements (including public cloud) at any time.
National security: Providers must ensure they are able to identify the risks of security compromises occurring and be able to operate the network without relying on services from outside the UK.
It is important to note too that this is just the beginning; the Act is clearly a step-change in the expectations put upon providers, and we should expect future revisions to the legislation as technology (and attacks) change and adapt in the future.
Time to act
Providers must feel that they are in an impossible position: whilst the government is imposing strict controls on change and operation, the desires and behaviours of customers continue to change rapidly – demanding bullet-proof access to faster networks, available in more places, that are delivered and supported through mature, easy to navigate digital journeys.
Telecom providers must change their playbook if they hope to keep pace; looking towards the very latest technology and practices that provide them a capability to rapidly adapt and react to change.
Define a clear vision and strategy
To achieve radical change, it is first necessary to clearly define what the target state looks like. Those hoping to perform a gap-analysis from their current position and implement a series of “mitigations” are likely to fail, either in short term through compliance, or in their long-term ability to continuously adapt and grow as this and other legislation develops in the future.
As the line between telco and tech company continues to blur, it is vital for providers to get out of their comfort zone and take this opportunity to look beyond their usual hardware vendors. They should look to invite engagement from software firms that have a broader view across industries, and a decade of experience of modern agile development practices, cloud native platforms and secure software supply chains.
Re-imagine the telco cloud
In 2012, the European Telecommunications Standards Institute (ETSI) defined the path for telco towards software-defined networks and cloud-based infrastructure in the form of Network Function Virtualisation (NFV).
Unfortunately, ten years later and despite a surge in adoption, for most operators the “telco cloud” has failed to deliver. Numerous operators chose to deploy an integrated stack from their traditional suppliers, and have struggled to integrate best-of-breed solutions from other vendors. Worse, many operators are now in so deep that it is now cost prohibitive to change tack.
Rather than rely upon a single, static solution stack, providers should take a ‘platform-first’ approach, where the emphasis is on building an open, vendor-agnostic platform that can support a rich ecosystem of technologies and vendors, covering the full spectrum of current and future telco applications.
App modernisation
We’ve no doubt all read many articles about “digital transformation” and “app modernisation”, but how does it relate to telco? There are five key pieces of advice for those providers who are on the journey from telco to “techco”.
Empower more internal development that can be quickly tailored and adapted.
Increase software development and DevSecOps skills, driving both tech and cultural change.
Focus on automated, zero-touch deployments of short-lived immutable instances that are auditable at source.
Change investment strategy to drive innovation and continuous improvement.
Iterate quickly to develop a business-specific pipeline that delivers new functionality quickly.
Observability
Unsurprisingly, monitoring and audit capabilities feature heavily throughout the act – ensuring providers take measures to monitor and analyse security critical functions.
Engineers need dashboards and intelligent alerting to bring key metrics to their attention, with the ability to then dive down into the deepest, darkest corners of the estate.
As if this was not challenging enough, the Regulations require that all this data be held securely for at least 13 months. For large, complex telecommunication systems, that is going to be a LOT of data, and likely to impose significant cost to providers, particularly if they wish to take advantage of that treasure trove for data mining or machine learning.
Conclusion
It’s clear that the UK is racing to secure critical national infrastructure. It’s not alone, given similar increases in cyber defences in different territories and across other industries, such as finance, energy, transport, and health.
Traditional approaches to how telco providers provision, manage and secure their platforms are no longer adequate. Providers must escape the telco echo-chamber, seek knowledge and guidance from organisations with proven experience of cloud-native app modernisation to bring radical business, technological, and cultural change.
The cost of failure is now simply too high.
(an adapted version of this article also appeared on Business Reporter and InfoSec Buzz)