Communications service providers (CSPs) across Asia Pacific need to prepare themselves to plug the cybersecurity gaps and mitigate against the risks of the 5G world.

Now that remote working has become a norm, connectivity has become indispensable – but also ever more vulnerable. Telcos and ISPs are currently the greatest sufferers of cyber-attacks compared to all other sectors.

With 5G network rollouts underway across the region, this means that heightened security measures are critical, or the consequences of a mishandled attack could be catastrophic.

Despite the potential repercussions, most service providers surprisingly still lack the expertise or knowledge in handling such cyberattacks.

The need for specialist support in protecting customers is very real in a 5G world where ensuring maximum speed and uninterrupted connections is vital. More than just ensuring enhanced connectivity for their clients, telcos and ISPs need to stay protected against even the most sophisticated cyber-attacks.

Currently working with service providers like StarHub and So-Net Entertainment, Nexusguard aims to arm service providers with robust cybersecurity systems as organizations look forward to a faster digital infrastructure and improved e-commerce capabilities. 

CybersecAsia delved into the issues and solutions with Andy Ng, CEO of Nexusguard:

Andy Ng, CEO, Nexusguard

Why are telcos and ISPs targeted by bad actors? What are some of the most common cybersecurity threats they face?

Ng: We have been on the frontlines of defending against attacks for numerous cases of telcos and ISPs, or CSPs as a collective term. CSPs’ core infrastructure is the heart of their business. Their huge customer facing footprints combined with the corresponding volume of data their customers transmit makes them enticing targets for bad actors.

Being able to target and take down one part or all of a CSP’s core infrastructure availability, most commonly achieved with DDoS attacks, would mean crippling the network and this will ultimately affect everyone who is dependent on the CSP for day-to-day operations. 

Being able to successfully compromise the integrity of CSP infrastructure and the confidentiality of the data that traverse the CSP’s network would mean giving bad actors access to spy on calls, texts and all forms of communication which could be diverted, modified or stolen for illegal gains, all of which would be catastrophic in effect. This is typically achieved by man-in-the-middle-type attacks such as BGP or DNS Poisoning, or by targeting vulnerabilities or exploiting back-doors in appliances and technologies along the path.

One thing that is yet unclear though, is this: are the CSPs being targeted specifically? Or are they inadvertent collateral damage because the ultimate targets just so happen to be using said CSP’s services?

Regardless, what is clear is that due to the nature of a CSP’s business and its position along the communication supply chain – it does seem to make perfect sense for bad actors to target the nexus of this supply chain.

Well-resourced CSPs have invested in protecting their infrastructure. But with the explosive growth in backbone infrastructures, connected IoT devices, coupled with stagnance in worldwide internet security, we have seen increasing signs of bad actors taking whatever advantage they can to overwhelm security teams, no matter how small or larger the CSPs are.

We fear that CSPs can no longer treat this as an issue to be swept under the carpet.

What do you observe to be the current cybersecurity gaps faced by CSPs in Asia Pacific, and what likely disruptions and inconveniences would customers and businesses face should CSPs remain under-prepared for more advanced cybersecurity threats?

Ng: From a technology perspective, cyberattacks are larger, more sophisticated, last longer, and are much more targeted:

  • As the internet infrastructures continue to be upgraded, there are now 400G backbones, 5G networks, and more than 20 billion IoT devices around the world. These numbers are rising rapidly, and the days of petabyte attacks are really not far away. Moreover, because everything is now always connected and never turned off, attacks are now lasting much longer than ever before.
  • This means that a 40G DDoS Mitigation solution that was effective, say 3 years ago, or the simply larger variant of the same technology they can get from the typical vendors today, is no longer relevant in today’s landscape where we constantly see attacks in the hundreds of gigabits, not to mention the terabit attacks. The traditional strategy will never be able to scale fast enough.
  • Apart from size, attackers and their attacks are also getting more advanced and targeted. Attackers now craft attacks designed to take advantage of the way CSP networks operate to take them down. And the fact is, today’s CSPs are just not equipped with the capabilities nor the skills and experience to deal with such attacks and currently suffering under such attacks.
  • One such attack is what Nexusguard discovered in late 2018 and this was subsequently given the name “Bit and Piece attacks”. While we’ve observed this specific type of attack continue to evolve into newer and more potent versions, CSPs are still at a loss as to how they can effectively mitigate against its original version.

From a business perspective, the expectations from external and internal stakeholders have also changed:

  • Externally – CSP customers now fully expect that CSP products come built in with security that should take care of the DDoS problem. After all, they are paying for connectivity and the availability of that connectivity should be the CSP’s responsibility. If not for free, then at the very least be available to customers as an add-on.
  •  Internally – Because the DDoS issue is so closely linked to a CSP’s core products, your business and sales team expect the DDoS problem to be already solved and not be a hindrance to their selling of the core services. In many cases now, DDoS protection is a basic requirement that’s tied to many connectivity RFPs and tenders today.

Without the capabilities, or knowledge of how to, or who to turn to, that can effectively address these issues, customers of these CSPs will continue to suffer outages and compromises, eventually leaving these CSPs. At the end of the day, this will result in declining revenue and profitability for these CSPs.

How would disruptions in mission-critical applications and processes lead to serious consequences, especially with 5G rollouts underway?

Ng: At the enterprise level, mission-critical applications and processes are those that have the greatest impact to an enterprise’s operations and needs for recovery, in turn impacting short term returns and long-term profitability.

At the country level, it refers to the critical infrastructures and backbone services that allows a country to function properly to provide its citizens with the basic necessities essential to life. At this level, disruptions to these infrastructures and services will result in certain loss of lives.

The advent of 5G technology presented an optimum solution to the “last mile problem” and has allowed markets in developing countries, especially where physical infrastructure is still weak in, to thrive. The 5G promise in such areas is that once all the 5G’s components are fully deployed and operational, one would no longer need any kind of wires or cables to deliver communications between any device. While that may sound enticing from an implementation perspective, the reliability of such a replacement of physical cables, when put to the challenges of real-world attacks, are yet to be unknown. 

In any case, providers of such critical services are increasingly pushing the responsibility of ensuring service availability to CSPs. CSPs might find themselves at risk of indictment with serious consequences ranging from huge fines to dissolution of such operations. 

What can be done to address these gaps and risks?

Ng: Cybersecurity capabilities are critical in a CSP’s survival and growth and this has never been more evident. It is important to recognize the vast differences between cybersecurity as an operational capability compared to it being a business and growth enabler.

In both cases, when it comes to cybersecurity and specifically DDoS attacks, it will be counter-productive to approach the issue single-handedly and to arrive at an outcome that will be far from effective.

Whatever the strategy, CSPs need to realize the total cost of ownership involved to arrive at their desired outcome:

  • Cost of protecting their infrastructure both locally and in the cloud
  • Cost of maintenance of technology
  • Cost of ongoing operations and support internal and external customers
  • Cost of go-to-market including service design and productization

From a cost, risk and speed-to-market perspective, CSPs will find that it makes absolute sense to instead seek out managed security providers such as Nexusguard that have made it their mission to address all of the above without taking away the CSPs ability to continue to deliver increased value to their customers.

We have proven that within a span of 90 days, it is possible for CSPs to achieve a DDoS resilient network and at the same time create a suite of managed cybersecurity services that their clients can enjoy.