We'll drop SBOMs on UK.gov to solve Telecoms Security Bill's technical demands, beams Cisco

Doc reveals more of what's causing industry to tear its hair out


Britain's Telecoms Security Bill will be accompanied by a detailed code of practice containing 70 specific security requirements for telcos and their suppliers to meet, The Register can reveal.

The Telecom Security Bill (TSB), which is near the end of its journey through Parliament, has been rather unpopular with some ISPs who have previously complained about the high cost of compliance.

Introduced as part of 2019-20's "ban Huawei immediately" panic, the bill includes provision for £100k-a-day fines.

Now El Reg can reveal more about the detailed requirements due to be imposed on the industry, thanks to Cisco publishing a detailed paper [PDF] explaining how it already complies with UK.gov and National Cyber Security Centre requirements. That paper is a response to a document called the Vendor Annex, an NCSC-authored technical bolt-on to the main bill.

"We expect that the way it will work is there will be some expectation that the operators will be obliged to do much more scrutiny when they go through their procurement exercises with telco vendors," Cisco's UK&I national cybersecurity advisor, Mark Jackson, told The Register.

Jackson added that many of the requirements in the bill and the Vendor Annex could be satisfied through provision of a software bill of materials (SBOM), though that specific term isn't mentioned. SBOMs as a security management concept have come in for some criticism recently because they could create the illusion that picking (for example) one specific software library and saying "job done, it's secure" doesn't set the expectation that the library will need updating in future.

This kind of problem was endemic in Huawei's mobile network equipment firmware, as NCSC's Huawei examination cell revealed in 2019. The Chinese firm was, among other things, using "70 full copies of 4 different OpenSSL versions" which contained 10 "publicly disclosed" vulns, some "dating back to 2006".

Referring to the TSB, Cisco's Jackson illustrated the SBOM problem from the vendor's perspective:

There's always that risk that customers come to you and say, I can't possibly buy your product, because you've got maybe one version out of date of OpenSSL. It might not be vulnerable, but... it's out of date, therefore it must be bad. And you then end up with a really difficult conversation from a commercial perspective as to how you manage those things and get down to the pragmatic risk management of these things.

Other key inclusions in the Vendor Annex include provision of secure boot, security testing (including specific mentions for fuzzing and negative testing) along with a specific requirement that there are "no undocumented administrative mechanisms", something that's caught Cisco out in the past among others.

The Internet Service Providers' Association declined to comment on the current state of the Vendor Annex, as did the National Cyber Security Centre. While the document will be undergoing more revisions over the coming months, the TSB's proposed requirement to log 13 months of "all access" to networks by users will continue to worry privacy and security advocates alike. ®


Other stories you might like

  • Talos names eight deadly sins in widely used industrial software
    Entire swaths of gear relies on vulnerability-laden Open Automation Software (OAS)

    A researcher at Cisco's Talos threat intelligence team found eight vulnerabilities in the Open Automation Software (OAS) platform that, if exploited, could enable a bad actor to access a device and run code on a targeted system.

    The OAS platform is widely used by a range of industrial enterprises, essentially facilitating the transfer of data within an IT environment between hardware and software and playing a central role in organizations' industrial Internet of Things (IIoT) efforts. It touches a range of devices, including PLCs and OPCs and IoT devices, as well as custom applications and APIs, databases and edge systems.

    Companies like Volvo, General Dynamics, JBT Aerotech and wind-turbine maker AES are among the users of the OAS platform.

    Continue reading
  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading

Biting the hand that feeds IT © 1998–2022