November 30, 2021
Improving Cybersecurity Outcomes in the Telecommunications Sector
From Internet service providers (ISPs) to cable companies, the telecommunications industry facilitates rapid and widespread communication across the globe. With recent increases in cyber attacks, telecommunications firms have been affected by cyber threats more than ever before. Due to the significant amount of private information that is shared and stored through the critical networks they own and operate, telecommunications companies are often targeted by malicious cyber actors intending to access and compromise sensitive customer information and data.
Today, telecommunications providers are incentivized to spend money on security when it impacts their business. This means they tend towards spending on ensuring uptime of their networks. But telecommunications providers, as the one of the core providers of internet infrastructure, are in a position to positively impact the security of the broader cyber ecosystem and with the right mix of incentives could do more to safeguard both the integrity and confidentiality of the data that transits their networks. Lacking these incentives, the onus for security will continue to fall on customers who are often far less mature in their understanding of network security than the telecommunications provider. This status quo, the result of free market incentives, leads to suboptimal security outcomes. It is now well past time to rethink the relationship between telecommunications provider and customer and explore how to incentivize shifting more of the burden for security off of the customer and onto the multi-billion dollar enterprises that run the networks. With the right mix of incentives, telecommunications companies could do more to safeguard both the integrity and confidentiality of the data that transits their networks.
While some telecommunications providers have started offering additional security services at an additional cost to customers, as security is often an invisible cost to consumers, customers are not willing to pay a premium for something indistinguishable to them. So the status quo today is that, while some telecommunications providers offer additional security services focused on safeguarding the integrity and confidentiality of data, not all customers take them up on their offerings. This lack of uptake means that cybersecurity—and as a result national security—are imperiled, all because incentives are not aligned to nudge telecommunications providers to supply security services to their customers at a cost customers are willing to swallow. The challenge for policymakers, then, is to understand this complex set of incentives and fix that equation.
In crafting these incentives policymakers must consider the difference in the size of companies, and the subsequent resources and capabilities, across the sector, which leads to a significant gap between the larger and smaller telecommunications companies’ ability to secure their services. The wide discrepancy in the size of firms, and subsequently the resources they have to spend on security, leads to a significant gap between larger and smaller telecommunications companies. Lumen, AT&T, and Verizon, for example, account for just over two-thirds of the fiber-to-the-home in the United States. As a result of their significant revenue, it is easier and faster for these large telecommunications companies to manage the implementation of new security processes and protocols. Smaller firms with more limitations on their financial resources do not always have the means to implement new security measures as quickly or to the same technical degree as their larger counterparts. Asking smaller firms to comply with extreme requirements that implicate significant financial investment may over burden their already constrained resources. Overall, this results in significant discrepancies and fragmentation in security conditions across the sector. Policymakers should recognize this reality and adjust accordingly. Not all firms are of the same level of criticality and not all firms need to be held to the same standard of behavior.
Policymakers could take several steps to help incentivize shifting more of the burden for security off of customers and on to telecommunications providers. The first is to focus on opportunities for capacity building between telecommunications companies of all sizes and the federal government. Specifically, there exists a significant opportunity for the federal government and larger telecommunications providers to support the strengthening of the security capacity of smaller telecommunication firms that do not have the resources to do so on their own. The government and larger firms should engage smaller firms in these efforts, reinforce the importance of raising security standards for firms of all sizes, and provide recommendations and support for smaller firms in their efforts to improve their security.
Second, the federal government should clarify expectations for telecommunications providers. This should come in the form of clearly delineated mandatory security benchmarks set by the Cybersecurity and Infrastructure Security Agency for large, systemically important providers. If these benchmarks are met, they could lead to benefits like liability protections, enhanced information sharing from the intelligence community, and prioritized federal assistance. Those same benchmarks could be voluntary for smaller firms, but tied to federal financial assistance and investment efforts. Included in these benchmarks could be expectations about the steps that telecommunications providers must take to secure their services and customers beyond simply ensuring their continual availability. The critical point, though, when wading into mandatory benchmarks and standards is to ensure a balance of benefits and burdens.
Eliminating status quo barriers that hinder the telecommunications industry from taking on more of a security burden from their customers is critical for the resilience of the telecommunications sector. Shifting the security burden towards vendors rather than to the customers will improve sector cybersecurity as a whole.
Tasha Jhangiani is a Research Analyst with the US Cyberspace Solarium Commission. In addition to her work with the Commission, she is a Future Digital Security Leaders Fellow with the Institute for Security and Technology. Her work primarily focuses on efforts to increase cyber resiliency, operationalize cybersecurity collaboration between the public and private sectors, and chart a path towards the implementation of major federal cybersecurity reforms. Tasha holds an MA in Security Policy Studies from George Washington University. She received her bachelor’s degree in history and political science from Case Western Reserve University and studied for a year at the University of Oxford.
Frances Schroeder is a Young Global Professional Intern at the Atlantic Council’s Cyber Statecraft Initiative and a rising senior at Stanford University, pursuing a BS in Symbolic Systems and a minor in International Relations.