Telco, secure thyself - One-To-One - Bill Hancock of Cable & Wireless Internet Services, chairman of the FCC's NRIC Homeland Defense focus group on cybersecurity, is interviewed - Interview

Telecom Asia, Dec, 2002 by John C. Tanner

In the aftermath of 9/11, network security has taken on a new importance. But telcos have been on the case for years, right? Not so fast, advises Bill Hancock, Cable & Wireless Internet Services chief security officer and chairman of the FCC's NRIC Homeland Defense focus group on cybersecurity. In fact, he tells global technology editor John C. Tanner, the paradigm shift from circuits to packets and the rise of mobility is creating all sorts of new security problems

Telecom Asia: The concept of security tends to be misunderstood by enterprises who don't know much about networking--is this also the case with carriers?

Bill Hancock: Oh, it's even worse. I'll give you a prime example. In the United States, there's something called the Network Reliability and Interoperability Council. It's an advisory group to the FCC that started 10 years ago. I am now chairing a committee there on cybersecurity that started in March. It's the first time they've ever had "best practices" for cybersecurity--ever. So I have to develop all this crap from scratch--I don't have anything previous to go on. All the teams that are working on this come up with one or two best practices and then we put them together. I'm up to 600. The telecoms companies were on board with this all along--so why is it all of a sudden we have to develop 600 best practices for it? There was nothing there before that--a committee for best practices in cybersecurity did not exist until March this year.

What finally convinced NRIC to create one -9/11?

That woke everyone up in a big way, but you have to remember that NRIC is made up of all the CEOs in the telecoms business--not the chief technology or security guys. They all got together and said: "We don't know enough about cybersecurity in order to have best practices for the telecoms industry, period, and we're telling the FCC that we need this." The other thing is that whatever NRIC recommends, the telecoms companies implement. They implement about 92% of the recommendations. If they don't, the FCC will regulate them. So the telecoms CEOs know that if they don't do what we tell them to do, and the FCC agrees that these are good best practices, they could get regulated and be forced to do them.

So are telecoms companies implementing them now?

Yeah, but not to the full, complete level that we're looking at. You look at some telecoms companies, they're looking at this and going: "Oh my God, what the hell is this?" They should already know what it is and already be doing it, or at least on the path to doing it, but frankly we're getting a lot of quizzical remarks from these guys. In a lot of cases, though, we get people who say: "Boy, are we glad you're doing this, because we've been fighting our management for years to try and get them to do this, and this is the first time they thought it was necessary." There are lots of telecoms companies that have a lot of security at one level or another, but as far as best practices are concerned, this is the first time it's ever come up.

What sorts of security topics do telecoms operators need to address?

Well, we asked ourselves what are all the security issues they have to deal with. You got operations, you got administration, you got maintenance, you got services, you got signaling issues--you've got this god awful range. We came back with about 75 different topic areas that every telecoms provider has to worry about. Of those, I divided them into ten macro-topics, and each of those has around six to ten subtopics. Each topic area can generate anywhere from three to 20 best practices--and those are the absolutely critical best practices, not just "neat things to do". The approach is, we're going to get attacked--we have to come up with stuff for prevention and restoration. CEOs don't want to pay for everything--they want to pay for what they have to pay for, and nothing else.

So we're coming up with that list, which is the minimum you've got to have, and here's how each of them are prioritized. That tells telecoms what they have to do and the order they have to do it. The concept isn't maximum security--it's minimum security--enough to get the job done, keep the costs down, keep it cost-effective for both the company and the customers, and give it some real teeth.

The distinction is crucial, isn't it, because operators can't assume that their network will ever be 100% secure, can they?

No, they can't--that's crap.

When it comes to implementing security, how much of it needs to be done in-house, and how much could be outsourced?

Depends on the company. You take some really large companies like ourselves--there's some of it we will outsource. There's some that we won't--we'll do it ourselves because we view security as being a core technology of Cable & Wireless, just like networking. Some smaller telecoms operators, they may outsource the whole thing. In fact, we actually work with telecoms operators and become their wholesale security company--so they may deploy voice over IP, which requires a VPN and a firewall. We'll provide the VPN and a firewall, and white-label it to that company and it goes out as their firewall and VPN, but it's really not--it's us. We can do it for ourselves, so why not other people? Outsourcing is okay if you've got people with credentials and the right things. It's not okay if you don't know who you're doing business with.