YesWeHack will work with the operator to help identify vulnerabilities in its communications infrastructure
It is no secret that cybersecurity attacks are on the rise worldwide, growing both in frequency and sophistication. The number of reported ransomware attacks worldwide, for example, grew by roughly 105% in 2021, with governments, the healthcare industry, and telecoms operators being disproportionately popular targets for attackers.
In recognition of this evolving threat, Telenor Sweden has today announced that it has forged a new partnership with crowdsourced security platform YesWeHack, aiming to find and fix vulnerabilities in the operator’s telecoms infrastructure.
The partnership operates via a bug bounty programme, whereby YesWeHack’s hacker community is challenged to probe Telenor’s infrastructure, receiving a monetary reward for reporting weak points in the operator’s cyberdefenses.
According to the press release, Telenor Sweden had previously run a private bug bounty programme via YesWeHack, where specific members of the community were invited to attempt to breach Telenor’s defences. Now, the partnership is extending this challenge to YesWeHack’s entire community of roughly 35,000 global cybersecurity researchers.
Based on the YesWeHack website, bounties for reporting gaps in Telenor’s defences could net hackers between €50 and €4,000.
“The partnership with YesWeHack is one of the ways we work with security and maybe one of the most important ones in our proactive work to stop cybercriminals. The return on investment is huge since we get access to thousands of security researchers while only paying a fraction of the cost it would take to recruit them all individually,” said Ulf Andersson, Head of Information Security at Telenor Sweden. “We are now planning to level up both the private and public program to make it even more attractive and generate more reports.”
Bug bounty programmes are nothing new for the telecoms industry, though it is worth noting that it is typically vendors and device makers, not the operators themselves, that launch these initiatives.
Nokia and Ericsson, for example, participated in a 5G cyber hackathon towards the end of 2019, giving 80 hackers 24 hours to find flaws in the security of their commercial and pre-commercial 5G New Radio, 5G non-standalone core, and 5G Fixed Wireless Access products. A follow-up event, also featuring Cisco and PwC, took place last year.
Meanwhile, on the device side, Apple has been running the Apple Security Bounty programme since 2016, opening it up to the public in 2019 and offering payments of up to $1 million for identifying specific vulnerabilities. Samsung runs a similar programme, offering between $200 and $200,000 for qualified reports.
For the operators themselves, such programmes are far less common and tend to offer far smaller rewards than the vendors; AT&T’s bug bounty programme, launched in 2020, for example, offers only up to $2,000.
However, according to cybersecurity specialist Patrick Donegan, Founder & Principal Analyst at HardenStance Ltd, these initiatives from operators should become more common as the threat of these attacks increases.
“Leading telcos like Telenor are starting to use hackers on their network infrastructure in the same way that network and device vendors do on their products,” explained Donegan. “It’s important for telcos to require stringent security testing of the networking hardware and software their vendors deliver to them but it’s also important that they carry out their own testing and flaw-finding exercises themselves on an on-going basis. They have to be careful in their choice of partners and individuals they invite to work with them on this but if they can find the right partners, they’re an important layer in ongoing telco security operations.”
Like the old Russian adage says, ‘trust, but verify’.
With networks becoming more complex and the number of cyber threats growing, bug bounty programmes like this are sure to becoming an increasingly necessary weapon in operators’ repertoire in the fight against cybercrime.