A new white paper from Patrick Donegan of HardenStance takes a close look at the growing problem of how to secure telco networks from intrusion and disruption by nation states. His main findings are that:
- nation states are taking bigger risks to undermine the telecoms services of other countries;
- there is no longer a clear distinction between cyber disruption conducted by nation states and criminal gangs;
- nation states use a wide variety of techniques that involve exploiting mundane vulnerabilities as well as deploying advanced hacks; and
- governments will inevitably impose more demands on telcos in the interest of national security.
Donegan summarizes recent cyberwarfare victories by Russia, China, Iran and North Korea but also highlights the increasing number of nation states that pose a threat to network security. The rising risk is exacerbated by criminal gangs lending their skills to nation states as the cyber equivalent of mercenaries and paramilitaries.
It is common to associate risk with placing too much trust in the software or equipment supplied to telcos by vendors, as epitomized by prohibitions on purchasing 5G networks from Huawei. However, Donegan emphasizes that nation states also use much simpler methods to compromise security, abuse old interfaces, exfiltrate sensitive information, and spread confusion.
My only criticism is that I believe Donegan is too conservative when evaluating the risk of nation states attacking the soft underbelly of telcos, even though he is one of the few analysts who appreciates why bad actors still use age-old methods of manipulating and corrupting fallible human beings. There have been a slew of documented cases where access to important systems has been compromised and information has been stolen by socially engineering, phishing and suborning employees and contractors. Nobody should be above suspicion; even telco fraud managers will use their privileged access to sell information to criminals. The security industry does not pay sufficient regard to these obvious weaknesses because it is more difficult for security vendors to monetize the supply of relevant solutions. Human frailties never change, and that includes carelessness when there is no reward for being diligent and disciplined. That is why we must always anticipate these frailties and seek to curb them before somebody else can take advantage.
Donegan’s paper, entitled “Defending Telecoms Against Nation State Cyber Threats”, is crisp, informative, and well worth reading. It is freely available from here.