It was as if Optus had told the world it wanted to be hacked. Last month, the Australian internet service provider discovered that an API its technicians had been using to test the integrity of its software had been breached. Far from being located behind multiple firewalls, however, this particular API resided on a single, publically accessible website – with no security whatsoever protecting the personal data of some 10 million Australians. The response from the Australian government was one of fury – and not a little embarrassment. “We should not have a telecoms operator in this country effectively leave a window open for data of this nature to be stolen,” said the country’s Home Affairs minister.
Eventually, Canberra forced Optus to pay to replace identity documents compromised by the hack. Critics opined that this was effectively closing the stable door after the horse had bolted. ISPs like Optus, after all, are under attack all the time from opportunistic hackers or, worse, state-sponsored criminal gangs looking for backdoors into rival nations’ telecommunications networks. However, regulations mandating tougher security on the part of operators have been thin on the ground – until now. The UK’s new Telecommunications Security Act (TSA) will hand Whitehall new powers to uphold strict new security standards in the internal operations and the supply chains of ISPs. Failure to do so will result in fines of up to £100,000 per day, or 10% of the company’s turnover until problems are fixed.
It is welcome news for a sector where security standards were largely made up by big players as they went along, explains Avishai Avivi, CISO at cybersecurity firm SafeBreach. “As demonstrated by both GDPR and CCPA for privacy in the EU and the US respectively,” says Avivi, “government regulations with the ability to levy fines make a real difference in how seriously companies address what is, up to that point, a self-regulating industry”.
Having received Royal Assent last year, the Telecommunications Security Act came into force earlier this month. Even so, concerns persist among the companies themselves that the phased costs involved in implementing the legislation – expenditures that they are largely expected to shoulder – will prove exorbitant, with official estimates putting the total outlay at £4.1bn over the next decade. Scrutiny of the bill in the run-up to implementation has also been intense. Fears that the government’s target of full implementation of the law by next year left too little time for ISPs to fully comply with the new rules dissipated after the government pushed that date back to 2024 at the earliest. Meanwhile, a more troubling requirement that operators retain internet records for up to 12 months was dropped in March – again, after feedback from ISPs.
This is not to say that the Telecommunications Security Act in its completed form is lacking teeth – far from it, explains Marcus Bagnall, partner at Wiggin LLP. While the government has shown its willingness to listen closely to industry concerns, he says, the new law is nonetheless “fairly ground-breaking in the sense of how prescriptive it is”.
Implementing the Telecommunications Security Act
That judgement derives, in large part, from the long list of security checks that telecoms companies will have to make under the new legislation. ISPs, for example, will have to have a comprehensive understanding of all of the risks facing their networks, ensure that all their business processes are run to support the secure running of those networks, and guarantee to the best of their knowledge that ‘edge’ computing equipment is hardened against attack from cybercriminal gangs and nation-states alike.
Even so, the costs of compliance will not be uniform across the sector. Enforcement of the TSB will be split into three tiers defined by the size of the company in question, with the largest Tier One providers expected to abide by all provisions of the new bill. All companies are eventually expected to be in basic compliance by March 2024.
Implementation will not be easy, explains Avivi. However, if the new rules are followed properly, CISOs should not find them too onerous. “As with the aforementioned regulations, the devil is in the details,” he says. “Rather than tick-the-box compliance with generic guidelines, specific recommendations and requirements will require organisations to remediate any deficiencies they may currently have.”
ISPs are not in a position to complain that they haven’t had enough time to prepare for these changes either, explains Bagnall. The majority of what’s contained in the TSA “would not be a surprise to industry”, he says. “A lot of clients that we’re speaking to have been preparing for this for some years.”
Indeed, many of the Tier One companies have already invested significant resources into getting their teams and their systems ready, digging around inside their supply chains to ensure that all equipment from Huawei and other proscribed providers is identified and ripped out to ensure full compliance from day one.
Tightening ISP security
Implementation of the TSA will not just cost ISPs a pretty penny. Ofcom, the regulator assigned to enforce the new rules, will require additional funding of between £50m-£70m to equip them for the task at hand. However, that expenditure pales in comparison to the ultimate cost of telecoms giants becoming the new favourite toy for cybercrime gangs. “If you're a major ISP, one data breach can cost you hundreds of millions just to solve in terms of all of the steps that need to then take place to cleanse your network, to isolate the problem, to redress the issue, to pay potential fines,” says Bagnall.
The example of Optus just goes to show how vulnerable the telecoms industry is to further breaches. Indeed, ISPs come under more or less constant attack, explains Warren O’Driscoll, head of security practice at IT consulting firm NTT Data. One of the main problems with securing them from breaches, adds O’Driscoll, is the need to balance security against the need to keep all of the infrastructure behind the networks they run interoperable. In that sense, he explains, old technologies need to be protected “in a way that they don't just get left forgotten and basically become the easy point of entry.”
As such, the legislation has probably come at the right moment, argues Bagnall, considering that we are still in the early stages of rolling out 5G in the UK. “We've barely begun in terms of seeing those solutions being deployed,” he says. “So, this legislation is quite timely from that perspective.”
While the UK is leading the pack when it comes to passing such tough new regulations, other jurisdictions are catching up fast: the EU and the US, for example, are pursuing similar laws. Singapore is another important example of a nation taking extra steps to harden telecommunications networks against attack, explains Scott Taylor, EMEA director of business and development at Armis. “At government level, they’re looking at the 5G security target operating model and the reference security architectures that they’re going to need to deliver for things like connected health, smart cities, connected vehicles,” says Taylor.
Ultimately, regardless of the money it will take to implement new regulations, or the effects of heightened regulatory powers, the data of ordinary users must be safeguarded. The protection of critical national infrastructure like the telecoms industry is therefore paramount. “At the end of the day,” agrees Avivi, “the new regulations are protecting the consumers.”