Because a determined threat actor will likely penetrate any organization, the prime goal of a cybersecurity plan should be getting quickly back online, a Canadian expert told a telecom industry conference this week.
“You are not invulnerable. No one is,” Robert Beggs, president of DigitalDefence, a Waterloo, Ont.,-based incident response and penetration testing firm, told the Canadian Telecom Summit in Toronto. Don’t try to defend against every possible threat, he said. Instead, IT leaders should aim at letting the IT network fail “gracefully.”
Ask if there is an attack, can it be handled, and how quickly can you recover, he said. “That will be the true measure of success and survivability.”
The summit draws hundreds of telecom operators and vendors every year.
Beggs was on a cybersecurity and privacy panel that included Ann Cavoukian, expert in residence at Toronto Metropolitan University’s Privacy By Design Centre of Excellence; Georg Serentschy, managing partner at Austria’s Serentschy Advisory Services and moderator Joe Ozario, a consultant and president of the Toronto chapter of the Resilience Information Exchange (formerly the Disaster Recovery Information Exchange).
Serentschy talked about cybersecurity as seen by telecom regulators around the world, painting what he admitted is a “pretty scary” picture. Regulators are worried about threats from climate change to critical infrastructure, physical acts of sabotage (for example, those on the Russian-German NordStream oil pipeline) and fiber optic networks, and the alleged vulnerabilities of telecom network hardware from “non-like minded countries.” Without naming such countries, he said this last “is considered by many leading security experts as the real smoking gun.”
Another problem, he added, is that European regulators have been so focused recently on making wireless services affordable that network operators haven’t been investing in making their systems resilient. In fact, he said, regulators in Iceland see a lack of redundancy as a market failure that requires regulatory intervention. More of that may be needed in other countries, he suggested. To go along with that, there is a need for metrics to measure network resilience, he said.
Some network resilience may come from the use of near-earth satellite constellations, he also said, noting that Ukraine has shown the worthiness of that during its war with Russia.
Serentschy urged telecom regulators to do more to educate the public on cyber risks.
Cavoukian admitted that while it’s becoming “exceedingly more difficult to secure our data and keep privacy embedded into all our operations, we can’t give up.”
“It’s all about being proactive and embedding much-needed privacy into the design of your operations, so ideally you can prevent the privacy harms from arising.”
There is a range of weapons organizations can use, including end-to-end data encryption and creating “synthetic data” that strips personally identifiable data from digital information.
“You never give up on privacy and security,” she maintained, because these are the foundation of freedom.
She complained that governments have been “negligent” in not updating privacy and security legislation to up with the techniques of hackers.
Cavoukian also said it’s “appalling” that police continue to seek routine access to telecom networks’ encrypted data, saying if they need access, police should get a judicial warrant.
Most organizations are very poor at protecting against cyber threats, Beggs said. For example, many only test their website security once a year. Another example: Leaving a VOIP phone in reception for a visitor to use. When no one is around, a hacker can unplug the Ethernet connection, plug in their own device and have instant access to the corporate IT network.