Quite a few cyber-attacks have been reported in recent months. In early November 2018, a bank reported to the press details of an attack that, fortunately, did not affect its customers' funds, thanks to “an immediate activation of security and contingency protocols [that] made it possible to quickly take control of the incident, notify the authority, continue the bank's operation and ensure the integrity of data and information"[1]. Shortly before this, another bank suffered an attack and then announced the creation of a cybersecurity division within the organisation [2]. Meanwhile, in April 2017, the government launched the National Cybersecurity Policy [3].
It would seem that cybersecurity is the new black. The prefix "cyber” in the word also evokes this idea, even though the term and field themselves have existed at least since the middle of the 20th century, and relate mainly to systems, networks and their monitoring [4]. Cybersecurity is hardly new in banking, or in the telecom sector. In the latter, there has been a long-standing consensus that there must be an infrastructure in place capable of preventing and resisting attacks of any kind that could jeopardize service continuity. Thus, the issue of cybersecurity has been addressed for some time now, but under a different label: that of critical infrastructure.
Internationally, the International Telecommunications Union, the specialised telecommunications body of the United Nations (UN), published a first version of its handbook on telecommunications and information technology security in 2003. The preface to the document reports on this situation:
"While the growing importance of digital security may be due to headlines about the spread of computer viruses via email, or about cybercriminals stealing credit card numbers, it is also true that this is only part of the story. As computers and computer networks become as much a part of our daily lives as water and electricity supply, the issue of digital security is not only of concern to experts but also to an increasing degree to governments, businesses and consumers. This being the case, and with so many commercial and private aspects relying on computers and networks, it is evident that these systems have to operate securely."[5]
Domestically, since 2012 Chile’s telecom sector has had detailed regulations regarding its critical infrastructure. The event that prompted this regulation was the earthquake that struck Chile on 27 February 2010.
Ten months after the tragedy, Law 20.478 of 2010 added Title VIII "Critical Telecommunications Infrastructure" to Law 18.168, the General Communications Act (LGT), which mandates the Ministry of Transport and Telecommunications (MTT), through the Undersecretary of Telecommunications (Subtel), to develop a plan to safeguard critical telecommunications infrastructure "in order to ensure the continuity of communications in emergency situations resulting from natural phenomena, electrical failures or other catastrophic situations" (Section 39 A of the LGT). In order to accomplish this task, the legislator gave the national regulator the following powers: (i) to coordinate the implementation, development and maintenance of a critical infrastructure safeguard plan; (ii) to declare as critical infrastructure, by means of an administrative proceeding, the telecommunications networks and systems whose interruption, destruction, outage or failure would generate a serious impact on the safety of the affected population; and, (iii) to establish safeguard measures to be implemented by the companies for the operation and exploitation of their respective critical infrastructure[6].
Two years later, the sector regulator issued Decree 60 of 2012, which approves the Critical Infrastructure Regulation. This establishes, among other things, when and how Subtel exercises the aforementioned powers. For example, it includes a procedure under which certain infrastructure of a telecommunications company is declared "critical", an administrative qualification that implies, among other things, the imposition of specific duties precisely because of the importance of such elements to ensure service continuity. Thus, the most important infrastructure (classified as Level 1) is required to have an energy autonomy of 48 hours (Section 34 of Decree 60). The Regulation also establishes a reporting system between the company affected by an event that jeopardizes its operational continuity and the regulatory authority.
As part of the discussion and implementation of the National Cybersecurity Policy, it may be worthwhile to review how this system has worked, and to evaluate its use in other sectors where services are rendered through a network exposed to attacks (e.g., electricity generation, health, transportation, banking, etc.).
One of the objectives of the National Cybersecurity Policy is to identify and prioritise critical information infrastructure in different sectors, including telecommunications [7]; a former presidential cybersecurity advisor, in response to a question about how public-private collaboration will be achieved in the process of developing a national security policy, stated that this will be done "[through] the exchange of information, the enactment of regulations and amendments to decrees, such as Decree 60 [Critical Infrastructure Regulation], which has an impact on telecommunications, because that is the basis of cybersecurity"[8].
One aspect that could be considered is that the sectoral regulations on Critical Infrastructure do not require specific security standards, which allows regulated entities—e.g., telecommunications companies—to have a certain level of flexibility to adopt the measures that are most in line with their organisational structure, under the supervision of the authority. This is because it is the companies that, in theory, are in the best position to determine the risks to which their infrastructure is exposed, as well as the most suitable ways of dealing with them.
One interesting case study in this regard is the British telecommunications regulation. In 2017, Ofcom (Office of Communications) published a new version of its guideline on compliance with the telecommunications network security and resilience obligations contained in sections 105A and 105B of the Communications Act 2003[9]. Although this guideline is not binding [10], we feel that its flexible approach to security standards is of particular interest. As a matter of fact, Ofcom points out in the guideline that if companies adopt certain standards proposed in the Technical Guideline of Security Measures [11], which are themselves taken from the ISO 27011:2013 standard on information security "(...) it is likely that a CP [public providers of communications networks or services] with a current ISO 27001 certification with a relevant scope will already have considered and achieved most of the security objectives of the ENISA guideline"[12]. In any case, such certifications are not a requirement for compliance with section 105a of the British Standard.
Other international experience worthy of mention is that of Spain. In 2015, the Secretary of State for Security, by means of the ruling of 8 September 2015, approved the minimum contents of the operators' security plans and specific protection plans, which must be prepared by operators classified as critical, in accordance with Spanish regulations on critical infrastructures [13]. As in the British case, the Spanish authority adopted a flexible approach to safety standards, as it does not require the implementation of any particular one. Indeed, in the event that a critical operator "(...) has designed a management and/or evaluation system for the security of information technologies, according to some international reference standard", the regulation merely stipulates that "(...) this must be indicated, as well as the certifications held by said system and certifying body"[14].
Finally, the public-private model adopted in the US seems to confirm that flexibility in terms of network security is a sensible approach. The Network Reliability and Interoperability Council (NRIC), comprising the top executives of U.S. telecommunications companies and representatives of the authorities, develops best practice to minimise service interruptions and ensure service continuity in crisis situations, based on the principles of redundancy and interoperability [15]. These standards are not binding for companies and every year the NRIC reviews the good practices recommended in the past and new ones are proposed[16].
These three examples would suggest that a flexible approach to security standards is a sensible policy. Yet will this be enough? One possible course of action to explore might be for companies to implement cybersecurity prevention and compliance models for their networks, allowing them to prove to the respective authorities that they are taking all the necessary measures to ensure the continuity of their services. This could be part of the National Cybersecurity Policy or the result of an industry-wide self-regulatory effort.
References
[1] https://bit.ly/2SYC3cY. Retrieved 16 April 2019.
[2] https://bit.ly/2PZPbgP. Retrieved 16 April 2019.
[3] The National Cybersecurity Policy's objectives projected to the year 2022 are as follows: (i) to have an information infrastructure in place capable of resisting and recovering in the event of cybersecurity attacks and incidents; (ii) to ensure the rights of individuals in cyberspace; (iii) to develop a cybersecurity culture in Chile based on education, good practice and responsibility in the handling of digital technologies, aimed at public and private actors; (iv) to establish cooperative relationships in cybersecurity at an international level; and (v) to promote the development of a cybersecurity industry.
[4] The concept of cybersecurity dates back to the 1980s with the spread of the first computer viruses over interconnected networks. It was later replaced by the term "information security" and was once again replaced by the term “cybersecurity” in the mid-2000s, with the rise of Internet incidents and professional cybercrime. The emphasis now is for security management to be rooted not only in the technical realm, but also in management at the corporate governance level.
[5] INTERNATIONAL TELECOMMUNICATION UNION (ITU). La seguridad de las telecomunicaciones y las tecnologías de la información, p. 5. Available at: https://bit.ly/2UY6FiQ. Retrieved 16 April 2019.
[6] Section 39 A of the General Telecommunications Act (LGT).
[7] PNC, p. 11.
[8] https://bit.ly/2PZSsf6.
[9] These rules were included in the Communications Act 2003 as a result of the amendment made by Directive 2009/140 to Directive 2002/21 EC "on a common regulatory framework for electronic communications services networks". Furthermore, it is important to note that telecommunications companies are not regulated by the general European framework on cybersecurity (Directive 2016/1148) but are subject to the specific security and integrity requirements set out in Directive 2002/21 EC, "on a common regulatory framework for electronic communications services networks", as amended by Directive 2009/140 which provides that Member States shall ensure that undertakings providing public telecommunications networks (Section 13a): (i) take appropriate technical and organizational measures to adequately manage existing risks to the security of their networks and services; (ii) implement all appropriate measures to guarantee the integrity of their networks in order to ensure the continuity of supply of services using those networks; and (iii) notify the competent national regulator of breaches of security or losses of integrity that have had a significant impact on the operation of networks or services. The relevant national regulator may inform the public or require companies to do so, if it deems that disclosure of the violation is in the public interest.
[10] In fact, the UK industry authority warns that any breaches of telecommunications network security and resilience regulations will be assessed on their merits on a case-by-case basis.
[11] Produced by the European Union Agency for Network and Information Security (EINSA). Available at: https://bit.ly/2KF8rRU. Retrieved 16 April 2019.
[12] “Ofcom guidance on security requirements in sections 105 A to D of the Communications Act 2003”, version 2017.
[13] In 2011, Spain passed Law 8/2011, of 28 April "establishing measures for the protection of critical infrastructures", which was developed through Royal Decree 704/2011, approving the "critical infrastructure protection regulations". Available at https://bit.ly/2ffQpBg y https://bit.ly/2KkcbYL. Accessed 16 April 2019.
[14] Subsection 2.2.3. Available at: https://bit.ly/2Kw20AO. Retrieved 16 April 2019.
[15] Overview of FCC Initiatives to Protec Critical Infrastructure and Homeland Security. Remarks of FCC Commissioner Katheleen Q. Abernathy, 7 June 2004, p. 2. Available at: https://bit.ly/2Gotp2i. Retrieved 16 April 2019.
[16] For example, in March 2019 NRIC produced a report on best practices and recommendations for mitigating security risks in current IP protocols (https://bit.ly/2Iw0Tyi); in September 2014, this council reviewed 476 good practices (https://bit.ly/2V5GWoK). The complete best practices list is available at https://bit.ly/2PgYUPQ. Retrieved 16 April 2019.