New Paper Analyzes How Nation States Threaten Telco Security

A new white paper from Patrick Donegan of HardenStance takes a close look at the growing problem of how to secure telco networks from intrusion and disruption by nation states. His main findings are that:

  • nation states are taking bigger risks to undermine the telecoms services of other countries;
  • there is no longer a clear distinction between cyber disruption conducted by nation states and criminal gangs;
  • nation states use a wide variety of techniques that involve exploiting mundane vulnerabilities as well as deploying advanced hacks; and
  • governments will inevitably impose more demands on telcos in the interest of national security.

Donegan summarizes recent cyberwarfare victories by Russia, China, Iran and North Korea but also highlights the increasing number of nation states that pose a threat to network security. The rising risk is exacerbated by criminal gangs lending their skills to nation states as the cyber equivalent of mercenaries and paramilitaries.

It is common to associate risk with placing too much trust in the software or equipment supplied to telcos by vendors, as epitomized by prohibitions on purchasing 5G networks from Huawei. However, Donegan emphasizes that nation states also use much simpler methods to compromise security, abuse old interfaces, exfiltrate sensitive information, and spread confusion.

My only criticism is that I believe Donegan is too conservative when evaluating the risk of nation states attacking the soft underbelly of telcos, even though he is one of the few analysts who appreciates why bad actors still use age-old methods of manipulating and corrupting fallible human beings. There have been a slew of documented cases where access to important systems has been compromised and information has been stolen by socially engineering, phishing and suborning employees and contractors. Nobody should be above suspicion; even telco fraud managers will use their privileged access to sell information to criminals. The security industry does not pay sufficient regard to these obvious weaknesses because it is more difficult for security vendors to monetize the supply of relevant solutions. Human frailties never change, and that includes carelessness when there is no reward for being diligent and disciplined. That is why we must always anticipate these frailties and seek to curb them before somebody else can take advantage.

Donegan’s paper, entitled “Defending Telecoms Against Nation State Cyber Threats”, is crisp, informative, and well worth reading. It is freely available from here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.