The telecom industry keeps us globally connected via the phone, across the internet, over cables — anytime and anywhere. Mobile operators, satellite companies, internet providers, telephone corporations, and the infrastructure behind these organizations generate and collect a multitude of data on a regular basis.
As technology becomes more developed and the world has become more data-rich than before, the threat landscape has also changed. Cyberattacks targeting the telecom industry have soared through the years. This is given the fact that the industry controls a vast majority of complex and critical communication infrastructure.
Data is a valuable resource for telcos as well as a wide range of potential value-added service providers. To be specific, telcos generate different types of data such as call detail data, network data, and customer data. These collectively consist of all the calls made within the networks, the state of hardware and software components in the networks, and the identification details of end-users.
Considering this, telecom is a high-risk industry for cybercriminals. Not only are the data proven to be valuable, but they are also exposed to various vulnerabilities. Vendor and supply chain risks; user device and insider threats; malware; DDoS attacks; social engineering; and, government surveillance, are some of the most common cyber threats affecting the telecom sector.
With many employees, customers, and third parties in its ecosystem, telcos will continue to be a target for criminals. In response, taking precautionary steps can go a long way to blocking attackers and protecting companies’ and users’ assets.
Keeping telecom data secure
A successful cyberattack on a telecom network could disrupt mobile and internet services for millions of subscribers, shut down government operations, and disable businesses. The convergence of mobility, cloud, and social networking have multiplied the amount of existing data within the industry.
Thus, operators and service providers must be fully aware on the possible threats that may occur from these deployed technologies. Monitoring user and network activities to provide insight into ecosystem vulnerabilities and threats becomes mandatory. A new approach to security comes to life as data breaches and other hacking incidents are seen as a critical business risk that may not always be preventable, but can be managed up to certain levels.
Through a so-called ‘Awareness to Action,’ model, four key directives are considered: (1) security is now crucial for enterprises, (2) security threats are business risks, (3) the most valuable information must be protected, and (4) all activities and investments should be driven by comprehensive information derived from assets, ecosystem threats, and vulnerabilities.
A holistic cybersecurity approach for the telecom industry must be implemented to ensure that data — valued as an asset yet susceptible to risk — is protected at all costs. "Privacy by design," data minimization, information sharing, data sandboxes, encryption standards, threat detection, incident response, and consumer privacy rights are some of the fundamental aspects that must be taken into account.
In the International Telecommunication Union (ITU) recommendation X.1751, security guidelines for big data lifecycle management by telecom operators were discussed. Why big data? Because telecom operators collect a vast range of customer data related to an individual user (user profile, devices, usage, and location) which they can take advantage of using big data analytical techniques. These data can then be utilized to develop services related to a wide variety of applications like smart cities.
The big data lifecycle includes six main stages: data collection, transmission, storage, usage, sharing, and destruction. But, before breaking down these six, it is worthy to note the principal categories of user data:
- data generated from a telecom operator’s business support system (BSS) — user identity, length of call, call target, communication bill, service types;
- data generated from a telco operator’s operations support system (OSS) — user behavior data acquired from internet browsing history, chatting, playing games;
- data based on a user's location-based service (LBS) information — for business marketing, population mobility, public safety, and urban planning; and,
- data to business or to consumer (2B/2C) generated in the IoT scenario — great value in healthcare, wearable device, and smart home areas.
In summary, here are some of the security guidelines to be followed:
- Data collection stage: Users should be informed about which data are being collected and why. Moreover, protection of the transmission of collected data using encryption algorithms that are widely used and tested by trusted third parties is recommended.
- Data transmission: This must be done via an end-to-end encrypted channel. Prompt detection of damage is recommended with the implementation of necessary measures recommended to restore if any errors are detected.
- Data storage: The storage device requires the installation of up-to-date security software. Deploy multi-person operation vault control mode so a single person cannot have full operational authority such as data batch output, copying, destruction, publication, and usage.
- Data usage: In order to protect sensitive data, data pseudonymization is necessary at this stage. Also, the provision of security audit trails is recommended to test for adequacy of data usage and to ensure compliance with established security policy and operational procedures.
- Data sharing: When data are shared with external services, limitation of data usage is recommended to avoid data reselling. Security protection mechanisms must be negotiated among the relevant stakeholders, including policy for shared data transfer, storage, access, etc.
- Data destruction: Data must be both erased and overwritten in a solid-state. After data are deleted, confidential resources like files, directories, and DB records, should be cleared without the possibility of restoration.
In addition, ITU laid out where the demand for a comprehensive network security framework originated from: customers/subscribers, public authorities, and network operators and service providers. To explain, subscribers need confidence in the network and the services offered while authorities demand security to ensure the availability of services, fair competition, and privacy protection. Lastly, telcos must safeguard their operations and business interests.
Data protection laws in the Middle East
Hitherto, ITU has probed the security within the ICT sector on its recommendation X.805. Among its highlights are privacy and data confidentiality where the former relates to the protection of the identity of users and the activities performed by them and the latter relates to the protection against unauthorized access to data contents.
According to GSMA, Qatar was the first GCC nation to issue a generally applicable data protection law — Law No. 13 of 2016 Concerning Personal Data Protection (the PDPL) — which took effect in 2017. The law is modeled on and incorporates familiar concepts from other international privacy frameworks, mandating that any party who processes personal data must adhere to the principles of transparency, fairness, and respect for human dignity. The Compliance and Data Protection Department (CDP) issued 14 regulatory guidelines in November 2020 to introduce new concepts aligned with the General Data Protection Regulation (GDPR) principles (i.e carrying out data privacy impact assessments and maintaining records of processing activities).
Bahrain was also one of the first to adopt its own data privacy law in 2019. Heavily based on the GDPR, the law aims to be consistent with international best practices. It includes the protection of individuals’ privacy, specific consent requirements for data processing, and the creation of a Personal Data Protection Authority.
In Kuwait, the Data Privacy Protection Regulations specifically applies to all ICT service providers in the state. Furthermore, it governs the collection and processing of personal data. Following the increased use of advanced technologies such as IoT, blockchain, and cloud computing technologies in Kuwait, the Communication and Information Technology Regulatory Authority (CITRA) demonstrates its willingness to protect fundamental rights and freedoms relating to the privacy of personal data.
There is currently no dedicated data protection legislation in force in the Kingdom of Saudi Arabia (KSA), but other general and other sector-specific laws address data protection. These include the Anti-Cybercrimes Law, Telecom Data Protection Principles, IoT Regulatory Framework, and Cloud Framework.
Similarly, Oman does not currently have an independent data protection law. Instead, various general and specific laws regulate data protection and privacy. These include the Basic Law of Oman, the Electronic Transactions Law, the Cyber Crimes Law, and the Telecommunications Regulatory Law.
Accordingly, the United Arab Emirates (UAE) does not have a single rule to protect the data and the privacy of both individuals and enterprises. Yet, it has set in place many legislations such as the Federal Law No. 5 of 2012 on Combatting Cybercrimes, the Telecommunications and Digital Government Regulatory Authority (TDRA) Internet Access Management (IAM) policy, Article 31 of the UAE’s Constitution, and the Dubai Data Law.
