Translated Article: New ETSI Standard for Reporting Security Vulnerabilities
Neuer ETSI-Standard zur Meldung von Sicherheitslücken by Erich Moechel for fm4.ORF.at
The European Standards Institute for Telecommunications ETSI, previously known more for the standardization of back doors for surveillance authorities than for IT security, is now concerned with finding non-standardized security vulnerabilities.
Late but still, the discovery of ever new, critical security gaps in IT equipment in industry has finally woken up the European Standards Institute for Telecommunications (ETSI). The public review period for an ETSI specification, which is intended to standardize the reporting process of security vulnerabilities by third parties, runs until September 15.
Since the introduction of LTE (4G), the standards of the IT world have increasingly applied to the formerly proprietary networks of the telecoms. This specification takes this into account by standardizing important IT security processes for the world of telecommunications. However, the specification also shows that this is still quite the beginning.
Vulnerabilities, penalties, data protection
The current cyber attack on T-Mobile USA, in which more than 50 million customer data was stolen, demonstrates the need to establish such a standard in the telecommunications industry. It is the sixth major security incident within four years at the US subsidiary of Deutsche Telekom. In contrast to Europe, where since the introduction of the General Data Protection Regulation (GDPR) in 2016, more and more penalties have been imposed that even large corporations can no longer pay out of their petty cash, there is no even remotely comparable regime in the USA.
In Europe, gross or repeated negligence in handling customer data can result in penalties that can amount to up to four percent of group sales. This apparently contributed to the fact that IT security vulnerabilities are now slowly being taken seriously by the industry. The DSGVO was followed in 2018 by the standards ISO / IEC 29147 and ISO / IEC 30111, in which both the registration process and the further handling of newly discovered vulnerabilities in IT systems that are visible from outside – i.e. from the Internet – to a certain extent were standardized.
The standards and the practice
The ETSI specification refers to these two ISO standards as well as to a handful of publications by the Internet Engineering Taskforce (IETF), the security organization FIRST, the US research institute MITER and the National Institute of Standards and Technology (NIST ) of the USA. In this guide of the Technical Committee TC Cyber in the ETSI, very little is required. Initially, even the simplest terms such as “exploit” or “payload” are explained and in this key it continues. This ETSI draft formalizes a convention for reporting security vulnerabilities, which has long been practised by large corporations and which is roughly as follows:
Security researchers who discover “bugs” in an application visible from the Internet – i.e. programming errors, incorrect implementation of a technical security standard, etc. – report these to the company concerned or to the manufacturer of a device if the bug resides directly in the operating system of f.ex. a web server or router. The company then tries to reproduce the error in a test environment in a process known as “triage” and to assess its degree of risk. Depending on the severity, either a “hotfix” is then carried out, i.e. a temporary measure for safeguarding, which is usually followed by the actual error correction in the relevant systems after a considerable time interval.
Coffee mugs and thank you letters, but no payment
The guide has little to do with technology, rather methods, procedures and, above all, the communication processes between the site operator and the person who discovered the bug should be standardized. And here ETSI assumes that security researchers primarily want to be known and publicly recognized. There is no mention of a “bug bounty” – a kind of “bounty” on the more dangerous vulnerabilities – as advertised by Google, Apple and a whole series of other large companies.
The crux of such a general security standard is that it is not addressed to a specific target group. What is good enough for a small or medium-sized company (SME) in terms of measures to find security vulnerabilities may be far too little for a large corporation like Deutsche Telekom AG. Security researchers associate different expectations with an SME than with a multi-billion dollar global corporation. The latter are namely the “stakeholders” in the European Telecom Standards Institute, which is nothing more than an association near Nice, which is completely dominated by the large telecommunications companies and their suppliers such as Ericsson, Nokia or Huawei.