Vodafone CISO Amit Pradhan explains top five cyber security risks facing Indian telecom sector

Amit Pradhan
Amit Pradhan

Failure to adhere to regulatory requirements; cyber attacks disrupting telecom services; subscriber data privacy breaches; cyber security function’s inability to support new business initiatives with equal pace and finally concerns associated with outsourcing are some of the risks faced by the Indian telecom sector. EC’s Abhishek Raval discusses them with Amit Pradhan, CISO, Vodafone

Which are the top five risks that Indian telcos face?
The top five risks for any telco in India would be the following:
The first risk is failure to adhere to regulatory security requirements and thereby non-adherence to the regulatory regime. Indian telecom security regulations have some of the most stringent security requirements in the world. These regulations are intended to protect data privacy of subscribers, national critical infrastructure, enable national security, and assist law enforcement and intelligence agencies to provide a safer environment for the citizens. Some of these requirements include appointment of a CISO who is an Indian citizen; all critical telecom devices be managed by only Indian citizens; subscriber data to reside and be accessed only from India and nowhere outside India; telco operator to seek approval/declaration for all deviations, etc.

Failing to demonstrate compliance to these requirements may attract suspension or cancellation of license. In case of a data breach, if the operator is not able to demonstrate adequate security controls as per the compliance, the operator may be subjected to financial penalties of upto ` 50 crore per license, per breach. Which means, considering a massive data breach across all licenses, the amount could go in multiple of ` 50 crore, based on number of breaches, with multiple licenses (approximately each operator has 26 license). The amount subjected may go up to `1,300 crore hypothetically.

The second risk is breach of subscriber data. A telco has personal and sensitive information of millions of subscribers. This information include their birth date, residence address, PAN, license, Aadhaar number, all data records, their location, etc. While most of this data is not available to any individual in the organization, some of the data is required by the law enforcement agencies during criminal and national security related investigations. It is the telco’s primary responsibility to build a strong and secure environment to store, process and move this data as and when required by government agencies. Loss of this data due to a data breach would mean, telcos can lose their reputation, subscriber and stakeholder trust, ultimately resulting in loss of current and future business revenue.

The third risk is that of attacks from cyberspace. A telco has a massive and complex technology environment. Distributed Denial of Service (DDoS) attacks have been quite prevalent since the last couple of years and have known to disrupt services across financial sector. There was an FIR filed (first-of-its-kind) by a company, last year with the Mumbai cyber police against an unknown attacker for perpetrating a DDoS attack to scale of 140 Gbps. These attacks appeared to have originated from China and Eastern European countries. The attackers use telcos as conduits for carrying out the attacks. Thus they play an important role in keeping the industry safe. Especially, the BFSI, power grids etc, which take services from us.

The fourth risk is the inability of the cyber security function to support the business in the rollout of new innovation initiatives on the business side. This involves exploiting different technologies to roll out new customer services. When the telecom industry is moving from voice to data, and with new technologies also coming in, sky is the limit, on the amount of offerings that can be coined. It is the CISO’s function to make sure these services are launched after right security controls are taken care of. Security has to be covered from all the angles – in the stages of design, implementation and post implementation.

The inability of the CISO to deliver will result in telcos failing to respond to competition faster and will also affect the competitive edge.

The fifth is the risk involved with outsourcing. Majority of the functions of telcos are outsourced. Most of the staff is not on the direct rolls of the company. The companies to whom we have outsourced also in turn sub contract their jobs to other companies. The huge database that we have is managed by these complex web of outsourced companies. The control that I can exert on my employees cannot equally be applied on the employees of an outsourced company. Hence it is important to establish the right checks and balances while outsourcing and managing the outsourced partners. It is important that all necessary security requirements are included in the contracts and SLAs with the partners.

How do you make sure information security is handled at the level of the kirana shops / retailers that give out new connections and provide recharges?
A major challenge in engaging with the retailers is in the process of issuance and management of new connections to the customers. To get a new SIM card, the customers have to give out their personal details in the client application form given by the telco. The retailers and kirana shops provide SIM cards to the subscribers. The SIM cards are mapped to our system. The only transaction that retailers can do is ‘recharges’. The recharge limit is set for the retailers based on the business volume they garner for the telco. These restrictions save us from potential financial losses. The revenue assurance and fraud risk and security team continuously keeps track of these transactions. Alerts are triggered when anomalies are found. Investigation begins when a certain threshold is breached.

In the light of security, how do you distinguish Aadhaar enabled KYC and the process followed earlier?
A subscriber earlier would need to provide his proof of identity, proof of residence along with a customer information form to apply for a connection. Post the physical verification, the SIM card would be activated. With eKYC being adopted (in metros/few other locations), the customer can visit a store, fill up the form and get his SIM card activated in minutes after using biometric authentication. The eKYC process has not only improved the customer experience in getting a connection but also improved the overall security posture of the setup. Unlike the earlier time, where it would be difficult for a store manager to verify signature, authenticity of documents submitted and overall security in protecting these documents, with eKYC the receipt and storage of these documents can be avoided. Additionally, the store manager, through eKYC, can be assured that the customer has provided correct and accurate information.

How do you view the application of Artificial Intelligence in cyber security?
AI provides a major potential in the field of cyber security. The first use case can be in security prediction for cyber-attacks and frauds which can help organizations prevent fraud instead of responding. All frauds and anomalies have characteristic behavior, which cannot be assimilated by a human due to its large volume. AI can play a critical role here.

The performance of the telecom networks can also be improved using AI. For example, call drops. If AI is made to understand the various reasons due to which calls get dropped, it can result in a huge revenue earner.
User profiling and anomaly detection through advanced analytics and AI can help identify individuals (disgruntled employee, employees who have resigned, etc) to help alert the security team of possible data leakage or unauthorized usage. These combined with restrictive mechanism may actually help block an authorized user who has resigned and is trying to pull confidential information out.