Telecoms companies are drastically under resourcing their network security operations, leaving the door open for a potentially devastating attack, according to numerous sources in the global telecoms sector.

Network security pretty much picked itself as the focus of this week’s Friday Review, based on the sheer number of people who have spoken to me about it this week. Whether in one on one interviews, networking break-out sessions or during numerous emails on the subject, cyber security is the one issue that seemingly everybody has wanted to talk about.

As a former oil and gas journalist working in Dubai, I have seen first-hand how cyber-attacks on production facilities can bring multi-billion dollar companies to their knees. It is almost impossible to overstate the potential havoc that hackers can reap on an industry that is hell bent on racing towards fully automated production facilities before adequate security has been put in place. Such were the rewards for hackers in this arena that, at one point, the Middle East’s oil and gas sector was the number one target for denial of service and ransom attacks anywhere in the world.

So what can the telecoms sector learn from the oil and gas industry’s example? It seems absurd that in the year 2017 we are still talking about entire industries underestimating the severity of cyber-security, yet here we are. 

While no one in their right mind would accuse European telcos of being as ambivalent to their network security as operators in the oil and gas sector, there is still the danger that some may be a little complacent over the security of their networks.

"I think a lot of research and development (R&D) spend is being put into application development, platform development and developing new use cases. With network security, because some people think of it as having ‘been taken care of’, it is not getting the investment dollars that it needs," said Nokia’s CEO for UK and Ireland, Cormac Whelan, in an exclusive interview with Total Telecom.

While network operators have been fairly proactive about securing their networks internally, Whelan feels that the danger for consumers is that their data is vulnerable if it passes between networks. As more and more data is collected and passed between third parties, who is responsible for securing that information?  

"I think the big question is where does the average person believe the responsibility for security sits. Where ever you are in the world, people think that the security of their data sits with whoever holds that data. For example, the medical records at your doctors, or the car records with the garage that services your car. That’s fair enough if your data is just sitting with that person, but what happens when that data is sent somewhere? Who is responsible for the security of that data? The company sending the data, the company receiving it, or the network provider over whose network the data is being sent?  As consumers, we tend to assume that it is being taken care of. My concern is that I’m not sure that it is being taken care of," he added.

This problem is compounded when you extend the example to the running of smart cities, connected cars and other big data generating projects. It is all very well and good for network operators to claim that the data is secure on their networks, but what happens when it leaves the network?

"I think there is an expectation that your data is secure by default, whereas it has not been secured by design. "By design" means that it is not being built into an end-to-end transference of data. It is not secure on an end-to-end basis. It might only be secure for a portion of that journey.

"I’m sure that network operators would say that the security is end-to-end within their network, but if you are running a SMART city communication application, the incumbent network is just a bit in the middle. So how do you secure all that end-to-end when you are designing all these kinds of things?" he asked.

Whelan also touched on this theme during the Connected Ireland event in Dublin last week, saying that network operators needed to evolve the way they think of network security to stay one step ahead of the hackers.

"At the core of my argument is that what’s needed is the ability to detect before the damage is done; to monitor inside the network both in access and core to help protect end customers, because it is often more important to know what something is trying to do, than what it is actually doing.  We can also look for application anomalies, evidence of malware, and to look for correlation," he said.

Evolved Intelligence’s product director Steve Buck echoed these sentiments when I spoke to him earlier this week. Buck argued that prevention is better than cure,  but that fine margins in the industry were stunting investment in cyber security within the telecoms sector.

"I think operators are finding it hard to build a business case because margins are so tight. The problem is that [network security] is not something that you can advertise very easily to the end user. You can advertise on price, or on the speed of your network, but how do you advertise that your network is secure when people already assumed that it was secure to begin with? Essentially, it’s a hygiene factor – it’s not something that customers want to pay for but they expect it to be there," he explained.  

This quote really highlights the problem with attitudes to cyber security in the industry at the moment. Consumers assume that someone else is ensuring the safety of their data, most likely their network provider. Meanwhile, operators believe that they are only responsible for the security of that data while it is travelling on their networks. As data is passed from one source to another, over multiple networks, cracks appear in its security, leaving the back door swinging on its hinges for cyber criminals and hackers to exploit.  


Friday Review – 08/12/2017