Who's responsible for cybersecurity?

Monday, February 26, 2018

When Telefónica became one of the victims of the WannaCry ransomware attack last year, it sparked a debate about how secure telcos really are. Weren't they supposed to be on the frontlines of cybersecurity? 

Jaya Baloo, chief information security officer of KPN Telecom in the Netherlands and a cybersecurity expert, believes that a global standard needs to be introduced for all hardware and software before 5G becomes a reality. Otherwise, if we connect millions of insecure devices, we could be creating a huge and unfixable problem.

Baloo will be speaking at the Mobile World Congress in Barcelona this week, and at the SingularityU Chile Summit on March 14-15. (BNamericas subscribers can obtain a 10% discount to attend the event in Santiago by completing the following form.)

BNamericas: So the issue is the lack of standardization of global protocols for hardware and software?

Baloo: Even if there was standardization, the certification protocols are weak. They were not built with cybersecurity in mind. Protocols like Bluetooth and Wi-Fi were built to connect things. The biggest driving factor is functionality not security. They think, 'Let's get the thing working first and worry about security later.'

BNamericas: With WannaCry, Microsoft has said that companies should have applied the software patches and updates.

Baloo: Well, what about lifetime support? You should support older Windows versions. It's not always possible for companies to update their software. For instance, take medical devices, like MRI scanners in radiology departments; they are built with a protocol called HL7. The problem is they can't just upgrade the protocol, because they could lose the certification to operate the device.

In South America there are a lot of mining and petrochemical plants which use industrial systems that are running old versions of Windows. They can't step away. If they try to upgrade some of these systems, other hardware and software will no longer work.

BNamericas: ATM machines reportedly run old versions of Windows and are relatively easy to hack.

Baloo: Getting into the back of an ATM is not as easy as it might sound, but if it is connected to the internet it is vulnerable. It should be segmented locally. That system may not be directly connected to the internet, but there may be other systems that are and, when these systems can be compromised, it takes a hacker a little bit of skill to eventually compromise those secure systems. So what a lot of companies do with their legacy systems is they tend to keep them in relative isolation, hoping that in the future they will be replaced with something better, faster and more secure. But in the meantime you still have this thing connected to your network and still in operation. You need to keep an eye on it and that requires investment in legacy technology.

BNamericas: What sort of hardware and software is most vulnerable?

Baloo: Often older Windows versions that are being used to run hospital equipment, operational technologies, manufacturing equipment. The company that was most affected by WannaCry was Maersk, with 300mn euros worth of damage. They had a lot of old systems on their OT backend, which weren't segregated. On top of the operating systems are often placed weak applications that haven't been tested for security before going live. Shodan.io [a search engine that lets the users find specific types of computers – webcams, routers, servers – connected to the internet using a variety of filters] is one of many websites that posts online vulnerabilities and weak links in systems and devices. It is easy for opportunistic hackers to Google search for vulnerabilities around the world, and then you go around and infiltrate those weak points.

BNamericas: Does putting things in the cloud make these systems safer?

Baloo: Sometimes it makes them safer, sometimes it doesn't. Not all clouds are created equal. It depends on your own risk profile. In security, first of all you need to know what you need to protect against and who you need to protect it from. Once you know that you can determine whether certain parts of your network are ready to go to the cloud.

If you hand the management of your infrastructure over to someone else, I hope that you can verify the trust that you put in this cloud provider; it could be that they're doing stuff with your data that you don't want them to.

BNamericas: What should telecommunications operators do to improve security?

Baloo: First of all they need to maintain trust with their customers by providing secure and continued service for all products. That starts with thinking about what we buy. And that requires being more open with our vendor community and being transparent about your security requirements. Our security policies are open source for all to see. Instead of keeping that stuff secret you need to communicate it and be really specific. You need to be a friendly dictator, a transparent one, but you need to tell people what to do for their own good. Make sure you make agreements with your suppliers and tell them you are going to test everything and if you find vulnerabilities you will make the vendor pay for your testing processes.

A lot of companies don't test products for security before offering to the public.

BNamericas: With 5G more things are going to become connected. Standards are being drawn up now. Is security being taken into account?

Baloo: That is my fear for 5G, that we are connecting things, building new technology with old vulnerabilities still inside. Mixing two dumb technologies doesn't suddenly make them smart. That is the nonsense that marketing has sold us with smart cities – I don't buy it. I think you are opening a huge potential hole for security if you don't understand that they are still dumb devices and there needs to be a lot of intelligence on top if you allow them to communicate with each other.

BNamericas: And who is primarily responsible for that?

Baloo: It starts with the software and hardware manufacturers. But the responsibility and burden of proof goes all through the chain. At KPN, we have long-range protocol. We hacked it, brought it down and then fixed it to make sure that nobody can do that to us. And I think that is an inherent responsibility for anyone providing connectivity or 5G. You need to be able to kick your technology a couple of times and only when it still stands after a few punches should you be able to deliver it to customers.

BNamericas: This comes down to the private sector. Should governments also play a role?

Baloo: Governments so far have put requirements on everyone except the hardware and software manufacturers. The issue is that they have better lobbies than anyone else, just Google the network and information security (NIS) directive in the EU. You have transport, healthcare, telecom, everyone in there except hardware and software vendors.

BNamericas: Do you see any discussion of these things with regard to 5G?

Baloo: Things are happening but it's not joined up. It's sporadic. You also have a limited window to actually address and fix. Again, my concern is there being insecure devices out there that are non-updatable. They're still going to have battery life and be connected but you're never going to be able to get them fixed. It's going to be easier to attack and harder to defend unless we nip it in the bud now.

About Jaya Baloo

Jaya Baloo is chief information security officer (CISO) of KPN Telecom in the Netherlands. She was recognized in 2017 as one of the top 100 CISOs globally. Working in the information security arena for the past 18 years, Baloo has worked mostly for global telecommunications companies such as Verizon and France Telecom. The executive is a frequent speaker at security conferences on subjects around lawful interception, mass surveillance, and cryptography.