The sanctity of national security normally overrides a nation’s desire for a free market economy or a completely liberalised telecoms sector. This issue was revived recently by the Indian Department of Telecommunications’ decision to forbid the use of carrier equipment manufactured by the Chinese company Huawei. This is an unusual step as, in general, it is very rare for a regulator to endorse or prohibit a particular supplier.
Nevertheless, this situation is by no means unique to India. For example, in 2005 the UK’s security authorities faced the same dilemma following the deregulation and local loop unbundling of the core national telecoms infrastructure. This change resulted in a wide range of service providers installing and implementing network equipment from a variety of sources, some of which were considered untrusted by the authorities. The potential risk to national security was further exacerbated by the roll-out of next-generation IP-based converged networks, such as BT’s 21CN, as much of the equipment was purchased from suppliers in untrusted nations, primarily due to the lower cost than considerably more expensive suppliers from trusted nations.
So was the move by the Indian authority wise? The answer lies in the decision process. All private enterprises and public organisations face this type of risk every day: namely, how should the security of the supply chain be guaranteed. The pragmatic approach is for each national security authority to weigh up the risk to its national information infrastructure against the cost of implementing appropriate risk management and security controls. In India’s case, the risk-based decision will be considered by many as unsustainable and failing to take into account industry needs.
By contrast, in the UK, the security and regulatory authorities’ decision to allow the procurement of untrusted equipment was based on balancing the cost saving of deploying a substantially cheaper 21CN core infrastructure with the cost of providing independent assurance and validation of the security of the equipment in question. This means that core network equipment will be subject to software and hardware analysis to ensure that there are no vulnerabilities or weaknesses. However, this approach has had implications for the end user. Subsequent to local loop unbundling, the UK’s national assurance authority issued guidance that the national telecoms network was no longer suitable for certain levels of classified information. This had an impact on the delivery and availability of standard secure services, most of which are unsuitable for the processing or storage of classified information without incurring substantial costs for the UK’s government and public sector users to improve security.
Regardless of the national strategy for securing the supply chain of critical telecoms infrastructure, both the security authorities and the enterprises delivering telecoms services have a responsibility and duty of care to citizens to ensure that appropriate risk management and due diligence have been carried out on both the infrastructure and service provision, irrespective of the source or origin of the supplier. With increased pressure on private enterprises to deliver lower-cost services in shorter timescales, we are now at a critical point where the security and regulatory authorities should collaborate to verify that service providers are assessing and validating the security of the services they deliver, and where appropriate should mandate minimum security standards.
Analysys Mason has worked on a variety of risk management and due diligence projects to help service providers and government departments deliver and procure secure services for both commercial and protectively marked systems. For more information, please contact Oisín Fouere, Consultant, at oisin.fouere@analysysmason.com