5G roll-out challenges: Governance, legislation, awareness, capacity and NESAS standards

Chief Guest ICTA Chairman, TRCSL Director General Oshada Senanayake

Guest Speaker Dr. Kanishka Karunasena, Head of Research, Policy and Project, SL CERTjpg

SL CERT - CEO Air Cdre (Retd) Jayasiri Amarasena

Dialog Axiata Network and Services Assurance SGM Ruchira Yasaratne

Mobitel Enterprise Risk Management SGM Jeewapadma Sandagomi

Moderator CICRA Holdings Group Director-CEO Boshan Dayaratne

The CICRA and Daily FT jointly organised 8th Annual Cyber Security Summit put the spotlight on the challenges of 5G roll-out, stressing the importance of governance, legislation, awareness and capacity as well as applying NESAS standards. 

The full day Summit’s second session dedicated to discuss the trends to watch out for in data security regarding the future development in digital currency and 5G roll-out included speakers 

Information and Communication Technology Agency (ICTA) of Sri Lanka Chairman and Telecommunications Regulatory Commission Director General Oshada Senanayake; GSMA Asia Pacific Head of Technology David Turkington; Computer Emergency Readiness Team (SL CERT) CEO Air Cdre (Retd) Jayasiri Amarasena; Dialog Axiata Plc Senior General Manager, Network and Services Assurance Ruchira Yasaratne; Mobitel SGM, Enterprise Risk Management Jeewapadma Sandagomi; and SL CERT Head of Research, Policy and Projects Dr. Kanishka Karunasena. 

From the Government perspective, international cooperation and the industry-wide concerns, the panel offered a comprehensive view on how do the government, industry and standard organisations should work together, building standards to mitigate the risks brought by disruptive technologies. To ensure network operations are sustainable and cost-effective to the ecosystem, the panel believes that network security assessment scheme should follow a universal and uniform standard.

Develop a comprehensive national strategy to enhance our cyber readiness

As the Telecommunications Regulatory Commission of Sri Lanka (TRCSL) set to include 5G frequency in the spectrum auction, 5G is closer to life in Sri Lanka. 

ICTA Chairman and TRCSL Director General Oshada Senanayake highlighted that more challenges need to be addressed during the 5G roll-out in 2022 and 2023.

Sri Lanka is still relatively a low resilient country in terms of cyber security readiness. As the number is increasing in terms of the connected devices through the existing mobile broadband and fixed broadband, the devices exposed to threats are increasing. “In Sri Lanka, more than seven million devices are already infected by some kind of ransomware,” said Senanayake, “We need to develop a comprehensive national strategy to enhance our cyber readiness.”

Senanayake believes that a holistic approach is necessary during the process, which includes developing an institutional framework to define and execute strategy, creating a legal framework to enable enforcement, designing a governance model to align cyber priorities across government and private organisations and oversee execution, and investing in capacity building strategy that will enable the execution. To implement the measures, the establishment of a National Cybersecurity Agency with an appropriate mandate is important. The agency should be positioned within the right place in the Government and establishing enabling legal framework is key to taking national cybersecurity to the next level. 

Senanayake also pointed out the importance of following and implementing global network security standards in the carriers. As 5G will be a critical infrastructure itself suffering from cascading effects, emphasis should be given to measurable security assurance and compliance due to legal and regulatory concerns. A lot of existing security capabilities of 5G networks are also available from 3GPP and other standards developing organisations. 

The security functions from the standard organisations are already made mandatory for equipment vendors to support the cyber resilience, yet they are optional to use by the network operators using the 5G products. In the future, the network operations should make full use of the security functions to deal with the rising telecom attacks.

Finally, as World Economic Forum listed cybersecurity as the third-highest risk, Senanayake encourages that Government, operators, enterprises and the whole country should move forward together to develop a more cyber-resilient nation.

Why do we need security assurance and how does NESAS work for the industry?

The world has witnessed a supply chain crisis over the past few years, which makes risk management a critical issue for the ICT industry.

GSMA Asia Pacific Head of Technology David Turkington emphasised that societal and business reliance on networks is increasing, network architecture/components/functions are more complicated, and regulatory pressure on security provisions/requirements are rising. The challenges brought by the developments require an integrated standard that not only focuses on the technical specifications of product development but also touches upon legal and policy aspects that are constantly evolving. Turkington stressed that “stakeholders need a common set of security assurance requirements”.

The common standard should cover security assessment of vendors’ development and product lifecycle processes, make Accreditation of security test laboratories, in accordance with ISO/IEC 17025, and undertake product evaluations by competent test labs using standardised security requirements and test cases. 

The Network Equipment Security Assurance Scheme (NESAS), jointly defined by 3GPP and GSMA, provides an industry-wide security assurance framework to facilitate improvements in security levels across the mobile industry. NESAS defines security requirements and an assessment framework for secure product development and product lifecycle processes, as well as using 3GPP defined security test cases for the security evaluation of network equipment.

NESAS, which is widely accepted in the industry, ensures that the relevant equipment meets the Scheme’s 5G network security and reliability requirements. The integrated assessment process avoids fragmented assessments and their resulting costs, while improving the transparency of security protection levels in the industry through visual and measurable results. NESAS covers 20 assessment categories, defining security requirements and an assessment framework for 5G product development and product lifecycle processes. Additionally it uses security test cases defined by 3GPP to assess the security of network equipment.

NESAS provides a security baseline to evidence that network equipment satisfies a list of security requirements and has been developed in accordance with vendor development and product lifecycle processes that provide security assurance. NESAS is intended to be used alongside other mechanisms to ensure a network is secure, in particular an appropriate set of security policies covering the whole lifecycle of a network. The scheme should be used globally as a common baseline, on top of which individual operators or national IT security agencies may want to put additional security requirements.

The six key cyber security strategies for Sri Lanka

Explaining on the Sri Lanka CERT developed Information and Cyber Security Strategy for four years from 2019 to 2023 at the event, SL CERT Head of Research, Policy and Projects Dr. Kanishka Karunasena pointed out: “SL CERT has identified six key strategic thrust areas to create a resilient and trusted cyber security ecosystem that includes Establishment of Governance Framework; Public Private Local-International Partnerships; Legislation, Policies and Standards; Awareness and Empowerment of Citizens; Competent Workforce and Resilient Digital Government and Infrastructure.”

Dr. Karunasena added: “Under these thrust areas key initiatives will be the establishment of Cyber Security Agency (CSA) through a new Cyber Security act that will be the apex institution for all cyber security related matters in relation to civilian aspects.”

He further outlined that the new Cyber Security Act will ensure effective implementation of the National Cyber Security Strategy to provide a safe and secure cyber security environment and to protect critical information infrastructure.

Cyber resilience involves a whole-of-nation approach

During the panel discussion, the panel of representatives from the Computer Emergency Readiness Team and telecom industry discussed the upcoming 5G services and how 5G can change the industry and economy. 

Dialog Axiata Plc Senior General Manager, Network and Services Assurance Ruchira Yasaratne said that the 5G defines mobile broadband that boasts much higher speed and bandwidth compared to 4G.

Mobitel Ltd. SGM, Enterprise Risk Management Jeewapadma Sandagomi added that 5G would change people’s experience with new applications such as IoT, smart vehicles, and AR/VR technologies.

Computer Emergency Readiness Team (SL CERT) CEO Jayasiri Amarasena announced that the regulations in cybersecurity are being drafted and these regulations will be carried into policy along with the upcoming holistic cybersecurity agency. With the establishment of the standards and regulations into the policy, the country will be able to enforce the global practices in cybersecurity.

ICTA Chairman Oshada Senanayake pointed out that despite the country’s rapid strides towards cyber resilience, and some of the organisations being mature in cybersecurity, there is still a long way to go for the country as a whole in terms of cybersecurity. Currently, Sri Lanka is still lagging behind in the cyber resilience ranking, and the country should harder together to boost the capability and make the country to the top 20 of the most cyber-resilient countries.

The panellists believe that 5G cyber security is a shared responsibility that involves the whole-of-nation actors including operators, telecom providers, equipment suppliers, application providers, standards organisations, governments, regulatory bodies, and every user of devices. Each of these stakeholders has their own responsibilities. Only with the fulfilment of these responsibilities and the change of the awareness in cybersecurity, can the nation become more resilient and safe in cybersecurity.

Pix by Upul Abayasekara and Ruwan Walpola

Keynote Speaker APAC, GSMA Head of Technology, David Turkington (via online)