The Telecoms Security Bill is currently making its way through the UK parliament. It seeks to introduce a new security framework for the UK telecoms sector to ensure that public telecommunications providers operate secure and resilient networks and services, and manage their supply chains appropriately. Like many industries, telecoms have relied on reactive security for too long. While the new rules introduced by the bill don’t prioritise a ground-up, baked-in approach to security led by secure coding, it does introduce a series of tests to ensure providers are compliant with government standards. So, what does the bill mean exactly, and how are these new rules going to ensure that security risks and compromises are minimised in the sector?
In simple terms, the bill aims to give the government unprecedented new powers to boost the security standards of the UK’s telecoms networks, whilst simultaneously removing the threat of high-risk vendors. Such measures include new controls on the use of Huawei 5G equipment - including a ban on the purchase of new Huawei equipment from the end of this year - and a commitment to remove all Huawei equipment from 5G networks by 2027.
However, another important element of the new regulations is the changes to penetration testing laws. Telecom providers will be expected to pen-test their networks every year. Whilst many do so already, new regulations will make the practice compulsory.
So, what is pentesting, and will its compulsory implementation ensure that telecommunications vendors are more secure?
Penetration testing (AKA pentesting or ethical hacking) is a security technique designed to identify, test, and highlight vulnerabilities in IT systems. This is achieved by allowing ethical hackers to simulate cyber-attacks to test the security of a computer system, network, website, or application. The simulation helps to identify vulnerable entry points into a company’s IT infrastructure by mimicking methods used by hackers, and tests the strength of security networks against possible real-life scenarios.
It is an important consideration for businesses to put their security infrastructure to the test, from code through to network, through a process that is individual to each IT system and its structure. This allows specific vulnerabilities to be highlighted before real hackers exploit them, a benefit for both security teams and customers using the network. Many telecommunications providers already use pentesting methods as it continues to be a crucial step in securing IT infrastructure. In fact, Markets and Markets recently reported that penetration testing remains on track to become a $4.5 billion industry by 2025. By making pentesting a law as part of the proposed telecoms bill, failure to comply would mean substantial fines (up to 10% of revenue turnover).
While pentesting is obviously an integral element in securing telecoms networks - and has been common practice for most governments for years - it is important to note that it is not a one-stop shop for any organisation’s security offering.
Firstly, the success of the pentest heavily relies on the pentester’s level of experience. If the chosen professional hacker lacks experience with particular IT systems or applications, you cannot be sure that your infrastructure has been comprehensively tested. Ultimately, it is very unlikely that the pentester would be able to uncover every security issue or possible entry point in their simulation. Pentesting is not a full security audit and shouldn’t hold the same weight as one. Additionally, it is often the case that security teams are poised and ready to react when pentesting is underway. Clearly, this is not representative of a real cyberattack, whereby the security breach is often unannounced and unexpected.
There are more efficient ways to maximise telecoms security, many of which are missing from the proposed government bill. These solutions include, and are not limited to a good security culture, attentive executive leadership and upskilling developers in security. Many companies and government bodies who are looking to build more robust security programs that stay in step with key security developments are already investigating a more preventative approach, however, it is imperative that the people factor is a key consideration in any defensive security plans.
If the humans involved in code creation and execution of said telecoms networks were properly trained and more security-aware, the less likely it would be that slow, complicated pentesting would pick up common errors that can lead to big problems, and focus could be directed at the expert-level issues that developers would never be expected to solve.
In summary, the new regulations forming the Telecoms Bill are a positive move for the industry.
With pentesting becoming compulsory, more vulnerabilities will be highlighted and telecoms networks will become more secure by default. However, it is important to use pentesting in conjunction with other security methods, such as upskilling developers in security from the start, in order to ensure the most secure outcome.
