The European Parliament has adopted the final report of the PEGA Committee of Inquiry which included eight recommendations on telecom networks to address the growing threat of unauthorised intrusions and surveillance campaigns wrtes Rowland Corr, VP of Government relations at international telecoms security firm, Enea
The move is a much-needed broadening of scope recognising a wider surveillance threat implicating the security of EU mobile telecom infrastructure, subscriber privacy, and democracy itself.
The unfortunate truth is that EU-based communications infrastructure is perhaps more vulnerable than ever to unauthorised access by malicious actors, which possess sophisticated capabilities distinct but not discrete from the use of surveillance tools such as Pegasus. More specifically, complex attacks that exploit vulnerabilities in signalling infrastructure allow attackers to weaponise the functioning of the network itself, putting both mobile subscribers and network operators at risk.
Capabilities over compliance
Make no mistake, the need to protect critical infrastructure and promote mobile network cybersecurity has never been more interwoven with broader efforts toward national and international security. To understand the vital importance of proactivity when it comes operator oversight and network security, one needs only to reflect on exhaustive Ukrainian efforts to safeguard mobile communications as a core element of Ukraine’s ongoing defence against Russia’s invasion.
EU-based communications infrastructure is perhaps more vulnerable than ever to unauthorised access
Fortunately, the significance of this has not been lost on the Committee, and among the most notable of its recommendations “calls on competent national authorities to actively promote strengthening providers’ capabilities” to identify and report illegal targeting, and to mitigate security gaps exploited by malicious actors.
This emphasis on capabilities over mere compliance is a significant step in the right direction as the Member States work to address this as-yet underserved area of threat detection in mobile telecoms and bring it into necessary alignment with wider coordinated efforts towards collective resilience.
For network operators, the implementation of the Committee’s recommendations can be viewed not only as an imperative, but as an opportunity to underpin conventional cybersecurity measures with defence against deliberate intrusions over signalling as well as non-malicious data leakage that put operators and subscribers at heightened risk of targeting. It is also an opportunity to move in lockstep with national stakeholders in cybersecurity, particularly as security threats increasingly involve the manipulation of national mobile network infrastructure.
‘Firm and demonstrable action’
Following the Committee’s adoption of these recommendations, network operators will need to quickly improve their ability to defend against this insidious surveillance threat, especially considering the call for telecom providers “to take firm and demonstrable action” to mitigate “the manipulation of the normal operations of mobile network elements and infrastructure for surveillance purposes by malicious actors”.
Even for those familiar with the fact that signalling protocols are vulnerable to manipulation for surveillance purposes, the fact that threat actors continue to innovate new attack methods and combine them across protocols can come as a surprise.
Signalling-borne threats to mobile security have become increasingly sophisticated, having grown in scale and complexity to levels scarcely imagined even when Karsten Nohl hacked the cell phone of U.S. Congressman Ted Lieu (with the latter’s permission to make the attempt, and prove that it was possible) in 2016.
The call for capabilities is also a call for a change in mindset. For operators, signalling vulnerability must be approached as a network security problem, not simply a signalling problem. It is important for operators to view signalling threats not as the exploitation of generic weaknesses of protocols – but as the exploitation of the weaknesses in their network security.
SS7, Diameter, and GTP-C protocols are tools for threat actors to identify and exploit the individual weaknesses of operators’ security policies and protection levels.
Put simply, in the absence of fit-for-purpose protection against signalling threats, mobile operators risk a multitude of harms, putting their subscriber’s privacy and access to critical services at the mercy of malicious actors.
Current threats will not merely subside on their own, to say nothing of the prospect of signalling-related security vulnerabilities already discovered in respect of 5G protocols. Such risks are even more acute amid a fraught geopolitical climate.
The immediate steps to take following the PEGA Committee’s adoption of security recommendations is the urgent implementation of effective safeguards alongside intelligent, forward-looking strategies among enterprises and operators.
In the case of signalling network security, the foundation for providers is the deployment of appropriate firewalls. However, as the GSMA have highlighted in their Security Landscape report for 2023, it is vital that signalling firewalls are correctly configured if they are to be effective. The ability to generate threat intelligence to ensure any emergent threats, technical gaps, and network exploits are detected and mitigated in a timely fashion is key.
By leveraging threat detection systems powered by machine-learning and backed up by both advanced signalling security policies, technical support, and expertise, providers can greatly enhance not only their ability to single out vulnerabilities, but to establish processes to ensure “firm and demonstrable action” in response to a breach.
A broader takeaway from the Committee’s urgent recommendations is that change will need to be implemented as holistically as possible across mobile networks and should address all potential security risks at the infrastructure level.
Above all, operators should view the European Parliament’s adoption of the PEGA report for what it is: a watershed moment in EU strategic risk recognition, and a clarion call for the defence of mobile networks against unauthorised state-level intrusions.