CTA Champion Patrick Donegan, Founder and Principal Analyst at Hardenstance, presents his guest blog on collaboration pertaining to the telecommunications industry. Cybersecurity collaboration comes in many flavors – here is an update from his participation in the Mobile World Congress earlier this year.
Patrick Donegan, Founder and Principal Analyst, HardenStance
One of the most salient lessons I learnt at school came during my first junior school Christmas Party. Come lunchtime, Miss Parker declared the party could start and there we were: thirty kids in a big circle of classroom chairs clutching the party food we had each brought to school that morning (cakes, drinks, biscuits, crisps, chocolates, sandwiches etc).
Miss Parker was 21 or 22. It was her first job. She was not at all sure of herself. So she asked us 7 year olds how we wanted to divvy up the food. Eat our own? Or share it all out? Being 7, and very excited about what we’d each brought (I had a box of crackers), we voted heavily in favour of playing safe and sticking with our own stuff. This lasted 3-4 minutes until random bouts of unilateral bartering started breaking out. If I remember rightly, I traded a couple of crackers for some kind of cake (which struck me as a pretty good deal). A couple more minutes later, by which time both unilateral and multilateral bartering were in full swing, we realized our mistake. So we U-turned, shared everything out on a big table, and had ourselves a great party.
A few decades on, in the cybersecurity industry where I ended up pitching my tent to make a living, I come across all three of those sharing/not sharing models almost every day. (1) I’m fine, I don’t need you or anyone else. (2) I need and trust you, so I’ll help you. But I don’t trust – and won’t help – anyone else. (3) Let’s have a formal collaboration framework whereby we can all progress faster than any of us would on our own.
The telecom sector is certainly too big, too regulated, and too dependent on common standards for any one telco to eat just from its own box of crackers. None of them do. That said, quite a lot of telco sharing in the cybersecurity domain – whether of cyber threat intelligence or other aspects of cybersecurity best practice – still maps to the second, more limited, sharing model rather than the richer potential of the third.
Hence, I was very encouraged to see evidence of a collaborative approach to addressing cyber resilience at the Mobile World Congress earlier this year in Barcelona. I’m referring to the work of the GSMA’s new Post Quantum Telco Network (PQTN) Task Force, which held a dedicated two-hour seminar during the four day event. Its’ mission is “to define requirements, identify dependencies and create the roadmap to implement quantum-safe networking, mitigating the risks associated with future, more-powerful quantum computers .” There are 57 member companies including major telcos AT&T, Verizon, Vodafone, Telefonica, and Orange.
As you’d expect from the traditions of telco collaboration, the PQTN Task Force is doing plenty of work on the OT side of the house, planning for migration of the telecom network infrastructures themselves to Post Quantum Cryptography (PQC). This is evident in much of the three deliverables the task force has published to date on impact assessment, risk assessment and telco use cases. One early area of technical collaboration is looking at ways of making substantial cost savings by ensuring tight alignment of telco infrastructure roadmaps for Public Key Infrastructure (PKI) evolution and roadmaps for the introduction of PQC.
Unusually in terms of the telecoms sector’s traditional approach to cybersecurity, however, this Task Force has extended its remit way beyond technical and operational specs and procedures for the network. It is also extending its work to collaborate on far-reaching organization-wide aspects of quantum resilience. As the PQTN Chair, IBM’s Lory Thorpe, put it during the seminar, “It’s not a CISO problem – it’s a challenge for the entire organization from the top down”, requiring leadership, sponsorship and funding mapped down to the departmental level.
The threat to contemporary encryption from post quantum encryption isn’t just real, it’s imminent. To be clear, it isn’t imminent because a quantum computer capable of breaking contemporary encryption will materialize any day now. Rather it’s imminent because of the efforts nation state intelligence agencies are known to be putting in to Store Now Decrypt Later (SNDL) attacks. As the name suggests, these involve obtaining and storing encrypted data today and then holding on to it until a sufficiently powerful quantum computer becomes available to allow the data to be decrypted.
Quantum resilience is a big challenge for the telecom sector, as it is for other industries with huge and complex OT environments. It’s great to see this industry recognizing the need to up its level of collaboration in an effort to rise to that challenge – and doing it in a way that encompasses the need for broader cyber risk assessment and organizational alignment, not just technology risk .
The Vice Chair of the PQTN, Luke Ibbetson, Head of R&D, Vodafone Group, even went as far as to tell the MWC seminar that “the work we’re doing is now being taken as a very good blueprint for other industries to adopt as well.” If other sectors do leverage this work, telcos will further benefit from driving the quantum resilience roadmaps of their own customers – and stimulating demand for the quantum safe products and services that they’ll be in a position to sell. In the pursuit of critical cybersecurity goals, collaboration works.