Ben Lane, CIPRNA event manager, met Mike Regan, VP Business Performance, Telecommunications Industry Association (TIA).
The following is a transcription of their conversation.
Ben Lane:
Please provide a short introduction of who you are, where you’ve come from and what your responsibilities are in terms of the TIA and its overall policies and standards.
Mike Regan:
Prior to joining TIA, which was in November of 2022, I had been retired for several years. I was the member of multiple founding teams and early-stage venture capital, funded startup companies that developed networking and communications products for a variety of highly regulated applications. I received an inquiry from TIA whether I would be interested in coming and joining them. I found it interesting, challenging, something very, very different than what I had done in the past. I have been on the other side of the table when it comes to some of these standards and have had to be certified and compliant.
At TIA, I’m responsible for a group called the QuEST Forum, which maintains our business process standards – slightly different than TIA’s technical standards. TIA also has innovation programs with a focus on edge data center design and smart building design and certification. There is a very active government advocacy group and then there is the QuEST Forum. We are historically known for a standard called TL 9000, which has been in place for around 25 years. This is a quality management system for the telecommunications industry. We had noticed several years ago, and after asking our membership, new challenges in cyber and specifically supply chain security. So, we launched a work group to explore and ultimately decided to develop a new standard called SCS 9001. It was originally released early last year in the first quarter of 2022.
It is focused on the information communications technology industry, and the intent is to help people who operate networks assess and provide a high level of assurance to themselves of the security practices of their vendors. When we talk about the target audience today, it’s very different than it might have been 10 or 15 years ago. SCS 9001 has been developed for really almost anyone that operates a network. And anyone that does offer a network in today’s environment is vulnerable to attacks of various types. And we’re seeing the bad guys get very creative. It’s not just a bank or financial institution, it’s not just the installation of ransomware; this is going beyond nuisance attacks.
Attacks today can mean millions of dollars of damages and they have attacked life critical systems such as the public water supply in Florida a couple years ago. So, the stakes are getting extremely high. We’re seeing a high level of government interaction starting not just within the US but globally, where governments are entering the conversation and trying to nudge the industry along. Different governments are taking different approaches to that. The US so far has taken a slightly different approach, more of an incentive-based approach where funding opportunities with new requirements in laws like the Infrastructure Investment and Jobs Act and the $42B BEAD Program that it funds.
Ben Lane:
Okay, that’s a great summary. In relation to communications how do you view emerging threats? Can you give me some ideas around that and maybe an example or two?
Mike Regan:
Sure. So, the climate has changed pretty dramatically in the last several years. The types of attack are getting more creative all the time. It’s not just the bad actors identifying an exposed system, or a misconfigured system. The entire way that software is developed and deployed today differs widely from the past. Things like DevOps, DevSecOps, continuous development, integration, deployment, there’s an entire ecosystem of the systems now used to develop and deploy software and modern networks. You might have heard of the Solar Winds breach, which happened about 2 years. They attacked the development systems of that company, planted malware, which was then distributed as part of the product.
So, when it comes to today’s security it is a non-stop, all-encompassing activity that people need to embrace all the way from product conception through its complete operational lifetime and then ultimately to retirement and disposition of those IT assets. There are threats in every part of that lifecycle that need to be accounted for and that’s what we’re focused on. I think the industry’s done a pretty good job of establishing some best practices for IT operations. We’re taking that next step to ensure that the complete supply chain development processes are covered as well.
Ben Lane:
Great, thank you. So, you’ve sort of touched upon protecting against these threats and building resilience, have you got anything further to add to take the story on?
Mike Regan:
Just that it’s a big problem. If it wasn’t such a big problem, it would’ve been solved by now. It touches every aspect of an organization, developing products and services that go into modern networks. There are possibilities and threats that exist at every stage and it is refreshing to see the level of collaboration and partnership, which is growing between organizations such as ourselves, the people who operate the networks, the vendors of the products and services that go into those networks and government agencies.
Everybody is coming together in an attempt to make material improvements to the current environment that we’re all dealing with. And frankly, it hasn’t improved sufficiently yet. You can pick up a newspaper or trade magazines and the threats come in at an increasing frequency and increasing severity. So still a lot of work to be done.
Ben Lane:
This brings us neatly onto the last point. Can you explain the cascading effect and what measures are in place, do you think, to respond to the impact of failure not within your industry, but across other industries. So, how does telecoms affect the transport sector, the power and energy sector?
Mike Regan:
I think one of the challenges everyone is facing right now is that the problem is larger enough that it’s drawn everyone’s attention, especially when governments start to get involved.
Now what we’re trying to do is push on the collaborations that we’ve had with a number of government agencies. What we are trying to do, we promote certifiable standards as the most high-level of assurance that you can gain.
We’ve developed a complete ecosystem around having trained independent certification bodies that go into an organization and conduct an assessment of how well they truly comply with the standards that we produce. And that provides a high level of confidence.
At the highest level, we provide the means for an independent assessment so there’s no question whether an organization meets the expectations of a standard or not. Now that’s an investment, right? That’s a fairly heavy approach. But the problems we’re trying to solve here are big problems, if they were easy to solve, they would’ve been solved by now.
Ben Lane:
Thanks so much for your time.
Mike Regan:
Thank you.