- DT CSO Thomas Tschersich is a leading proponent of GSMA and 3GPP scheme.
- NESAS aims for more secure mobile networks and efficient security testing.
- Geopolitical climate heightens awareness about the security assurance scheme, and DT exec insists it could be an apolitical solution to concerns.
Deutsche Telekom’s Chief Security Officer Thomas Tschersich is a big fan of the Network Equipment Security Assurance Scheme (NESAS) run by the mobile industry group GSM Association (GSMA) and standards organisation 3GPP.
Speaking to Deutsche Telekomwatch, Tschersich said this “under-the-radar” scheme, which was designed to improve mobile network security and reduce security testing costs for operators, is now getting more attention in the current political climate around 5G network security, and could potentially have a more prominent role by helping European governments to certify equipment.
NESAS sets baseline security requirements for mobile network components, which are specified by 3GPP, and provides a framework for independent testing. The scheme assesses vendors’ security practices across their product development processes and tests network components in independent labs against the 3GPP security specifications. Together, the assessments and tests are meant to provide operators basic assurance about the security of network equipment before it goes into their own labs for more stringent tests.
The scheme was initiated by DT and Orange four years ago. NESAS officially launched in December 2019 and is understood to be the only security assurance programme specifically focused on mobile equipment and product development lifecycles. So far, Ericsson, Huawei Technologies, Nokia, and ZTE have committed to the scheme and have already undergone assessments of “product development and lifecycle management processes”, according to the GSMA.
Tschersich said the initial goal of NESAS was to improve network security. “The idea was to create an industry standard for security per component, which is proved independently, to gain more trust in single components”, he said.
The aim is to “make security a functional requirement” in the same way that there are requirements for interoperability or performance and set an industry standard to ensure all vendors implement the same security requirements in every mobile network component — whether it is part of a base station, core network function, or transport network.
There is also an efficiency angle to Tschersich’s interest in NESAS. Operators typically conduct similar security tests on the same vendor equipment. Allocating the subset of redundant tests to approved, independent labs would be beneficial to operators and vendors, allowing telcos to focus testing efforts on their specific requirements.
“If an independent body could test those things and scenarios upfront, then we’re able to reduce the time for testing on the operator side and become much faster at introducing new technology”, he said, noting that the independent testing part of the NESAS scheme has not yet been implemented.
Politics shines a light on NESAS
NESAS has been quietly developed over the last four years, unconnected to the political storm over Huawei and 5G vendor security, but the current political climate is raising awareness and could see the scheme play a bigger role.
“When the political debate started, it was quite clear that we need to have something in place [that] is proving the security and the trustworthiness of a component… Lucky [for] us, we had prepared the NESAS scheme, together with GSMA and 3GPP, which suddenly perfectly fits into the hole which was opening up”, said Tschersich. “I’m not talking about the trustworthiness of the vendor, that’s a different aspect”.
Since the NESAS scheme defines and standardises security requirements and independently tests the requirements, the model could provide a framework for national and European Union authorities to certify vendor components. The new German IT Security Law, for example, is likely to require the certification of certain components.
In Germany, while the government resisted US pressure to ban Chinese vendors from 5G networks (Deutsche Telekomwatch, #94, #97, and #98), the new IT security law that was passed at the end of 2020 will make it much harder to use Chinese equipment. For the first time, the German law sets high security standards for network components and requires that critical components are certified before they can be deployed.
“[NESAS] can help, if we come to the conclusion in the political debate that it makes sense, and I’m convinced that it would make sense, to focus on proven technical judgments”, said Tschersich. “Then NESAS could be an answer [that] helps us in solving that issue”.
Is this about Huawei?
Asked whether DT viewed the NESAS scheme as a way to ensure it can keep using Huawei equipment in its networks, Tschersich said this was a “totally different question”.
“This has nothing to do with certification of technical components. There is a clear political debate on ‘can we trust a certain region in the world or not?’ And this is not our turf. But what we really comment on is the technology”.
He said DT’s view is that there needs to be a focus on technology and transparency that is “totally vendor independent”.
“Think about it, you have a single vendor, you have these high levels of standards for [it], and you have others with at least no security standards at all. That makes no sense to me”, he said. “We have to ensure an up and running network for globally, roughly 190 million customers. They don’t care about which component we have in the network, they just care about their data and privacy”.
He added: “If we need to raise the bar… we need to raise the bar for every single vendor. It makes no sense to build the fence around your house five metres high if you leave the front door open”.
Taking NESAS beyond mobile networks
Tschersich wants to see the NESAS scheme expanded beyond mobile networks to include all parts of telecoms networks. “It’s achievable over time, but you need to start small to scale big”, he said.
Jon France, Head of Industry Security at the GSMA, said that while potential expansion beyond 3GPP components has been raised, “currently we are focusing on the main functions” and that as the scheme evolves it might include components from other types of networks.
The current NESAS scheme is mainly for 4G network components, but multiple security assurance specifications have already been added for 5G network functions.