Role of cyber security policies and standards in 5G age

By Hiyal Biyagamage

Keynote Speaker APAC GSMA Head of Technology David Turkington

Guest Speaker SL CERT Head of Research, Policy and Project Dr. Kanishka Karunasena

The second session of the eighth Annual Daily FT-CICRA Cyber Security Summit held recently covered important aspects of network security standards and compliance with regard to rolling out 5G technology. As global cellular networks evolve to 5G, they are enabling and expanding a more all-things-connected world. However, with this comes an increase in cyberattacks on essential infrastructure like communications systems or power grids. Now, not only will devices like phones be at risk, but perhaps even things like cars, home appliances, or even pacemakers. Therefore, robust network security standards are essential for modelling potential cyber threats on a national level, a personal level, and everywhere in between.

NESAS: Enhancing trust in global mobile networks 

Delivering the keynote speech, GSMA Asia Pacific Head of Technology David Turkington introduced the audience to Network Equipment Security Assurance Scheme (NESAS), which provides an industry-wide security assurance framework to facilitate improvements in security levels across the mobile industry. The scheme was jointly defined by 3GPP and GSMA and it defines security requirements and an assessment framework for secure product development and product lifecycle processes, as well as using 3GPP defined security test cases for the security evaluation of network equipment.

“Mobile networks are critical infrastructure. They need to be robust and reliable. For this reason, it is important to verify mobile network equipment and make sure that adequate security is in place. However, doing so without harmonisation can drive global fragmentation of security requirements and conformance with them.”

“NESAS provides a security baseline to evidence that network equipment satisfies a list of security requirements and has been developed in accordance with vendor development and product lifecycle processes that provide security assurance. NESAS is intended to be used alongside other mechanisms to ensure a network is secure, in particular an appropriate set of security policies covering the whole lifecycle of a network. The scheme should be used globally as a common baseline, on top of which individual operators or national IT security agencies may want to put additional security requirements.”

In the 5G era, Turkington said NESAS provides a standardised and effective cyber security assessment, which allows the communications industry to ensure fairness. The assessment is also a valuable reference for stakeholders, such as operators, equipment vendors, government regulators, and application service providers, mentioned Turkington. 

“The Network Equipment Security Assurance Scheme (NESAS) provides an industry solution to meet the needs of industry and other stakeholders. It is an industry defined voluntary scheme through which network equipment vendors subject their product development and lifecycle processes to a comprehensive security audit against the currently active NESAS release and its security requirements.”

He also explained the NESAS benefits for network operators, equipment vendors, regulators and national security authorities. Some of the key benefits are:

• Raise confidence and trust in mobile network equipment 

• Increase transparency and comparability of security levels on offer 

• Industry defined requirements decrease the need for individual security requirements to be defined and/or tested

• Lowers duplication of work and security testing needs 

• Highlights vendor ability to achieve/maintain security levels 

• Encourages security by design culture across the entire vendor community

• Security assurance scheme entirely funded by industry 

• Single scheme that is globally relevant 

• Low barrier for innovation and entering markets 

• Cost-effective scheme that drives security gains 

“One of the motivations for developing NESAS is that the scheme will help vendors and operators avert fragmented regulatory security requirements. NESAS should be used globally as a common baseline, on top of which individual operators or national IT security agencies may want to put additional security requirements. The scheme is of value to both operators and vendors; it is intended to be used alongside other mechanisms to ensure a network is secure, in particular an appropriate set of security policies covering the whole lifecycle of a network,” said Turkington. 

Crafting a resilient cyber security strategy for Sri Lanka

Delivering the guest speech, SL CERT Head of Research, Policy and Projects Dr. Kanishka Karunasena discussed the implementation of Sri Lanka’s Information and Cyber Security Strategy which will be implemented over a period of five years from 2019-2023. The strategy aims to create a resilient and trusted cyber security ecosystem that will enable Sri Lankans to realise the benefits of digital technology and facilitate growth and a better future for all citizens. 

Dr. Karunasena explained that the strategy is underpinned by six strategic thrust areas. They are the establishment of a government framework, enactment and establishment of legislation, policies and standards, development of a competent workforce, developing resilient digital government schemes and infrastructure, raising awareness and empowerment of citizens and development of public-private, local and international partnerships. 

“As the complexity of the cyber security ecosystem increases, the Government has realised the need to have a national-level strategy for information and cyber security. It is a high-level, top-down approach to information and cyber security that establishes a range of national objectives and priorities that should be achieved in a specific timeframe.”

He mentioned that in line with the strategy, a Digital Infrastructure Protection Agency (DIPA) will be established as the apex institution for all cyber security-related affairs in Sri Lanka. Its mandate will be to oversee the implementation of the national strategy and establish specialised subordinate agencies to effectively battle emerging cyber threats. 

“DIPA will establish the National Cyber Security Operating Centre (NCSOC) for monitoring threats to digital government applications, critical information infrastructure, and critical systems of private firms. Furthermore, it will implement a 24/7 Cyber Security Call Centre, National Cyber Alert System, National Certification Authority, research unit and a Digital Forensic Lab as well.”

Regulatory frameworks and cyber security as a future career path 

Under the second thrust, Dr. Karunasena said the strategy is to create an appropriate regulatory framework for securing individuals and organisations in cyberspace and to strengthen prosecution support for modern cyber offences through the introduction of relevant legislation, policies and standards. 

“Sri Lanka, over the years, has taken several measures to battle various cybercrimes by introducing policies and enacting relevant legislations. In September 2015, Sri Lanka became a state party to the Budapest Convention. This was a historic policy achievement because Sri Lanka became the first country in South Asia (the second country after Japan, in Asia) and the fastest to accede to this important convention. To further strengthen our regulatory framework, gaps in the existing laws will be identified and new policies and legislation will be drafted and implemented to create a secure cyberspace for all Sri Lankans. The key steps under this thrust would be the introduction of the new Cyber Security Act, enactment of robust data protection and privacy laws, developing data sharing and critical infrastructure protection policies and implementing baseline security standards,” said Dr. Karunasena.

Additionally, Dr. Karunasena said Sri Lanka requires to expend much effort on building overall human resource capacity to combat emerging cyber threats. There is a distinct lack of initiatives to address the domestic shortage of cyber security experts. Under the third pillar, he said that the Government aims to implement appropriate strategies to facilitate the workforce to gain and maintain the knowledge, skills, experience and technological capabilities needed to effectively work in the cyber 

environment.

“Our strategy is to create a virtuous circle of supply and demand of information and cyber security experts through continuous assessment of the gap between the supply and demand of cyber professionals, increasing learning opportunities to capitalise on cyber security knowledge, and educating youth for building a pool of future cyber security professionals. Under this, one of our key objectives is to conduct a national level survey to understand the gap between the supply of information and cyber security professionals and demand from the industry for such professionals in Sri Lanka. An analysis of this nature would be important for DIPA to formulate a clear-cut strategy,” he said. 

In building future career paths in cyber security space, Dr. Karunasena said SL CERT will advocate for the inclusion of information and cyber security into the school curriculum with the aim of creating a talented pool of cyber security professionals in future. “We will facilitate career guidance workshops at schools across the country to raise awareness of the emerging career opportunities in this domain,” said Dr. Karunasena. 

Raising awareness among citizens

The Internet has become important for all aspects of daily life including education, work, and participation in society. A considerable segment of society is becoming more and more dependent on the Internet thereby becoming more vulnerable to cybercrime. A major reason for such vulnerabilities to cybercrime is lack of awareness among citizens about possible cyber threats and their consequences. 

Theft of identity, stealing of credit card numbers, and privacy violation and unauthorised access on social media for example are commonly caused due to the lack of awareness of citizens. Dr. Karunasena said it is crucial to raise citizens' awareness about emerging cyber threats and empower them with the knowledge and skills necessary to defend themselves against evolving cyber threats. 

“Under this strategic thrust, we have several key initiatives planned. One would be to collaborate with the Department of Census and Statistics to conduct a National Baseline Survey to assess Sri Lankan citizens' awareness, attitudes and behaviours on cyber security-related activities. We will extend the services of CERT website to provide a comprehensive collection of materials and activities relating to cyber security, and incorporate a comprehensive complaints reporting system to assist victims. Furthermore, we will increase information and cyber security awareness among the public through hosting awareness campaigns, organising public conferences, street dramas, and so forth. Additionally, we will pay special attention to most vulnerable communities in society including youth, women and elderly people. We also plan to introduce Information and Cyber Security as a subject into the curriculums with the support of the Ministry of Education and the National Institute of Education.”

Forging crucial partnerships 

Concluding his speech. Dr. Karunasena said the Government acknowledges that it alone cannot effectively combat these threats. Collective efforts of end-users, academics, private sector ICT professionals, Telcos and ISPs are essential in battling against these cyber threats. Moreover, cyber security cannot be achieved by any one nation alone, and a greater level of international cooperation is needed to confront those actors who seek to disrupt or exploit our networks. 

“We are focused to develop a mechanism for cooperation extending beyond government agencies to public-private collaboration, and local-international collaboration in developing a cyber security ecosystem. Our plans under this pillar range from setting up a Telco-CERT with the involvement of Telcos and ISPs to effectively handle emerging cyber threats, partnering with firms operating Critical Information Infrastructure (CII) to create resilience, maintaining an internet protocol (IP) reputational service, nurturing startups, partnering with universities to build a cyber security research culture and promoting corporation among industry sectors to work together to jointly improve detection, prevention, response and recovery capabilities,” Dr. Karunasena opined. 

Global leader in payments Visa and technology giant Huawei Technologies were the Strategic Partners. Banking partner was NDB and Official payment network was LankaPay, whilst the creative partner was Triad.

Pix by Upul Abayasekara and Ruwan Walpola