CYBERSECURITY in telecommunications

Telecommunications in all forms is increasingly central to our working and personal lives. Dependence on the rapid availability of data and instant communications continues to rise.  This was exacerbated by the COVID-19 pandemic, which forced a majority of society to begin operating fully remotely. Dependence upon a telecommunications industry is paramount during a national emergency.   The global telecommunications sector is a mix of government, former government, and commercial operators. They deliver services for customers, but also wider benefits for society. It is in everyone’s interest for the telecommunications industry to be competitive, to prosper, to invest in the latest technologies, to be well defended against hostile actors and to behave in ways that balance the needs of customers with requirements of government. The telecommunications industry stores, manages, and transports a vast amount of valuable data for individuals and society, and digital commerce. The means to communicate, share, innovate, and prosper is inextricably linked to the way in which the telecommunications industry can mobilize technology and innovation on a global scale. The telecommunications supply chain is becoming increasingly politicized, particularly as security concerns emerge from Chinese companies Huawei and ZTE. To address these growing challenges, this chapter recommends a much deeper partnership between telcos and government, along with building a significantly diversified supply chain, so there is not heavy reliance on high-risk vendors.

WHAT MAKES THE TELECOMMUNICATIONS SECTOR UNIQUE

The global telecommunications sector is a mix of government, former government, and commercial operators. The networks are a critical part of the business infrastructure and increasingly seen as part of the critical national infrastructure. They deliver services for customers but also wider benefits for society.

The telecommunications industry stores, manages, and transports a vast amount of valuable data for individuals and society, digital commerce, and critical national infrastructure.

The threat from cyber actors is increasing in sophistication, persistence, and variety—and the risks posed are not easily mitigated. Cybersecurity needs to be multidimensional, transcending the risk management and response capabilities of any single enterprise, industry, or government. The damage inflicted by successful cyberattacks is not just financial and commercial but can also lead to long-term reputational damage and regulatory action. Customer confidence is crucial. Customers need to know that their data are safe and to understand how companies will use these data and the basis on which the government can secure access to these data. Customers need to trust service providers to behave responsibly in this regard. Telecommunications is a regulated business. Service providers are required to give government’s access to customer traffic and data in accordance with licensing regulations and the laws of the jurisdictions in which they operate. Our policy is clear: telecommunications companies should not hand over customer data unless they are lawfully required to do so.

CHALLENGES FACING THE NEW ADMINISTRATION

MAINTAINING TRUST BETWEEN BUSINESS, GOVERNMENT, AND SOCIETY
We need to align the interests of customers with those of business and government. The experience of Apple versus the FBI might suggest that the interests of industry, government, and society are divergent. We would argue absolutely not. It is about reaching an agreed compromise, a question of balance not absolute choices. Crucially it is about trust and transparency.

REGULATION LAGS BEHIND GLOBALIZATION AND THE PACE OF CHANGE
In a globalized information economy, telecommunications companies will often deliver products and services using centralized platforms and infrastructure located across multiple jurisdictions. Regulations that unduly restrict the cross-border transfer of personal and machine-generated data are likely to impede service delivery and distort investment decisions.

The speed of technology change challenges existing regulation. Services come and go rapidly and the development cycle is shortening.
Legislation should clearly outline the purpose and offer clarity about the types of government agency who can require access to customer data, along with the process by which that data can be secured. The process should be auditable, and it should be possible, through that audit, to verify that the lawful system is being used.

THE NEED TO KEEP UP WITH THOSE WHO THREATEN OUR NETWORKS
The scale and changing nature of the challenge are disrupting industry attempts to build internationally compatible safeguards and making it more difficult to have a mature debate with customers about privacy and security.

RECOMMENDATIONS

INCIDENT REPORTING AND INFORMATION SHARING
Following an incident, everyone needs to be clear and precise about what has happened, but government decisions about incident notification and public disclosure of major incidents (or audits) should not be allowed to disrupt or undermine industry attempts to mount an appropriate and proportionate response.

For the industry to make meaningful headway on standards and standardization, we need to see more intergovernment coordination on standards work to deliver globally accepted outcomes that strike at the heart of the issues.

The telecommunications industry also requires a legal and regulatory framework to promote and uphold technology neutrality and provide a legal framework to encourage investment in future-capable networks that will carry exponentially growing data in virtualized cloud-based environments.

TAKE A LIGHT HAND WITH REGULATION
Government needs to lead and support national and international conversations required to find the appropriate balance between the need to protect the privacy of the individual and the need to ensure the collective security of society. Policy and regulation must be developed with the specific needs of the enterprise sector in mind rather than as a by-product of regulation designed for consumer needs.

BROADEN THE VISION OF THE PUBLIC-PRIVATE PARTNERSHIP BETWEEN TELECOMMUNICATIONS AND GOVERNMENT
In the digital age, private companies are on the frontline of defense when it comes to cyber threats. Many attacks are not launched at telecommunications companies but through them, in some cases against government or national-security targets. Third parties may struggle to manage the impact of high-level attacks if their prevailing business models don’t allow for further investment in cybersecurity. In these situations it might be cost effective for government to use telecommunications companies to provide enhanced security in situations where further investment is needed to reduce the impact of high-level threats and provide a broader common level of defense that it beyond the reach of some organizations but ultimately in the national interest.