As companies, industries and economies become more digitalised, there is a need to build up an appropriate security assurance framework to mitigate the risks of a larger “digital attack surface” as people work, play, learn and transact online.
The same improvements in technology that have helped lift efficiency and standards of living are exploited by bad actors too. The growing intensity of digitalisation has the unfortunate side effect of opening up new ways for attacks to take place.
“The old ways are not going to be good enough in terms of how we consider and whether we really take cybersecurity seriously,” says Huawei USA’s chief security officer, Andy Purdy. “We have to make sure that cybersecurity is in fact a common concern,” says Purdy at the Singapore International Cyber Week 2020.
In fact, he warns that cyber criminals and malicious actors in cyberspace have “a huge advantage”, and that the world has to “do better” in this area. One way of doing so is to improve the security assurance and related certification frameworks that the world currently has.
Purdy laments that while technology improves rapidly, laws and regulations have remained outdated, and inconsistent. “There's a lack of international standards for security assurance,” he says.
A secure, widely-deployed mobile network will be the new generation telecommunications infrastructure on which cloud computing, big data value, artificial intelligence, knowledge, resource sharing, service delivery and other advanced applications can be delivered.
However, security of this new, growing, and interconnected ecosystem is key. As such, he is advocating for the use of a security assurance framework that is independent, transparent and consistent across different regions. “The mobile industry needs a globally trusted, mutually recognized, security assurance scheme,” says Purdy.
“Governments, operators, suppliers and standard development organisations need to collaborate to continuously improve cybersecurity assurance and transparency, the ability to know what is being done and how it’s being done, and the lessons learned can be shared, so there can be an improvement,” he explains.
To be sure, there are various security assurance schemes in existence, such as the Common Criteria, ISO and the PCI. However, there isn’t a fully global set of technical standards for telecommunications equipment security assurance yet.
As such, the various assurance schemes, built on varying technical specifications, face certain limitations. To put it another way, the threat is global but the defence is only regional.
The telecommunications industry has gone down this road before - and suffered unnecessary cost for it. He recalls the time of the older 2G and 3G networks, where different parts of the world used different mobile network standards, forcing suppliers to comply with different standards depending on which markets they were in. That led vendors to focus narrowly only on certain geographies, depending on where they were better able to comply.
“That meant that in any one region of the world, you didn’t have a full range of robust competition that can give you the benefits of being on the same level playing field: increased innovation, reduced costs, greater security and greater resilience,” says Purdy.
Now, as 5G next generation mobile networks are being deployed, Purdy sees a chance to introduce a global security standards for cybersecurity: NESAS, the acronym for Network Equipment Security Assurance Scheme.
Jointly defined by 3GPP and GSMA, two global telecommunications industry bodies, NESAS, according to Purdy, is a well specified and widely adopted cybersecurity assessment and verification mechanism.
Besides defining security requirements, NESAS is also an assessment framework for secure product development and product lifecycle processes. This gives mobile network operators visibility of the security capabilities of their suppliers of the equipment vendors and their network products, prior to purchase.
NESAS also provides them with baseline security requirements that can be met by networking equipment, and can help reduce the volume of testing required as the baseline testing is outsourced to experts in accredited test laboratories, providing some tangible benefits to the network operators, and the national authorities and regulators.
“NESEAS provides a security assurance scheme, ready for use. It can increase effective security while not negatively impacting the industry. This is important as it helps avoid fragmentation of security requirements across the global market,” says Purdy.
To date, more than ten global tier-one carriers, including five in the EU, have asked for NESAS before deployment. Besides Huawei, other leading mobile network vendors such as Ericsson and Nokia are openly supporting NESAS as a 5G unified cybersecurity assurance foundation.
In another sign that the industry is better aligned, on Aug 24, GSMA announced that the world’s leading equipment vendors, including ZTE, have successfully completed an assessment of their product development and lifecycle management processes using the NESAS.
“A shared and tailored security assurance scheme is the idea. Customized, authoritative, unified, efficient and constantly evolving, so that the mobile industry can continue to meet the needs of individuals and organizations with confidence,” says Purdy.