The big picture: Cybersecurity threats and data breaches in telecom networks are on the rise, leading to increased oversight. Recent guidelines from global regulatory agencies call for stricter controls to protect against attacks like Operation Salt Typhoon.
Go deeper: The guidelines resemble the Payment Card Industry Data Security Standard (PCI DSS), established in 2004 to secure credit card transactions. Telecom network operators can use the PCI DSS as a model to enhance network controls, monitor changes, and establish a security baseline to prevent cyber threats.
What’s next: Telecom companies are encouraged to adopt rigorous security standards now to stay ahead of future regulations. Taking proactive measures, such as monitoring network changes and enforcing access controls, can help providers secure networks and avoid government intervention.
___ ____ ___
Rising cybersecurity threats and high-profile data breaches by foreign adversaries infiltrating telecommunication networks have placed the industry under increased scrutiny. While there is no singular regulatory standard governing telecom security, recent regulatory guidance suggests a shift toward stricter oversight.
This shift gained momentum last year when the FBI, in collaboration with major cybersecurity agencies from Australia, Canada, and New Zealand, released the first ever collaborative guidelines on creating visibility and hardening of communications infrastructure. The hardening requirements, aimed at safeguarding telecommunication networks against sophisticated cyberattacks, were a direct response to threats like the infamous Operation Salt Typhoon.
Operation Salt Typhoon was a significant cyber intrusion by alleged government-backed Chinese hackers who targeted major U.S. telecoms like T-Mobile, AT&T and Verizon. The attack exposed vulnerabilities in network access points and highlighted the need for enhanced security measures to protect against unauthorized telecom data breaches.
Specifically, the attack revealed two major sources of vulnerability:
- First, attackers managed to access metadata from customer calls and text messages. In some cases, they even captured audio recordings of phone calls from senior American officials.
- Second, the attackers took advantage of private network portals. These portals are usually used by law enforcement when a court order is approved, allowing them to access the network.
In response, the agencies came up with these guidelines:
- Carefully monitor and investigate any changes to network devices like switches, routers, and firewalls that occur outside the change management process.
- Implement thorough alert mechanisms to detect unauthorized network changes, such as unusual route updates, the use of weak protocols, and configuration changes (e.g., modifications to users and access control lists or ACLs).
- Establish a monitoring and network management capability that, at a minimum, enforces configuration management, automates routine administrative tasks, and triggers alerts when changes are detected in the environment.
This brings us to an important parallel: the Payment Card Industry Data Security Standard (PCI DSS). Originally developed to protect credit card transactions, PCI DSS has long provided a structured, enforceable framework for securing financial data.
You may be asking at this point what PCI DSS has to do with telecom infrastructure. Let’s go back to 2004 for some context. Back then, major credit card companies including Visa, MasterCard, Discover, American Express, and JCB came together to establish the PCI Council. The council was tasked with tackling fraud and theft of consumer credit cards as the world shifted from cash to credit transactions. If you used a credit card in the 1990s, you might recall the old machines that took imprints of your card — making it easy for someone to copy your information.
Each card company had its own standards for securing data. While these standards often aligned, there were times when following one meant violating another. For example, some companies allowed displaying the first four and last six digits of a card number, while others permitted the first six and last four.
The council set out to eliminate the confusion from these varied standards. It established a baseline set of security requirements for accepting credit card payments, along with a process for compliance based on the volume of transactions. Smaller companies could self-attest, while larger companies needed a Qualified Security Assessor or QSA to validate compliance. Failing to comply could result in hefty fines and additional penalties against firms found to be non-compliant after a breach.
Parallels: PCI DSS and telecom security guidelines
As one of the original QSAs, I see striking similarities between the latest guidelines for securing telecom operator networks and PCI DSS 4.0, which also focus on two core principles: enhancing visibility and strengthening systems and devices.
Let’s compare: Both emphasize:
- Comprehensive network security controls: Just as PCI DSS mandates strict security configurations for firewalls and network segmentation, the FBI’s telecom guidelines stress securing routers, firewalls, and network devices against unauthorized modifications.
- Change management and monitoring: PCI DSS requires detailed logging, monitoring, and change management processes to track security alterations—principles that align with the FBI’s call for increased visibility into telecom network modifications.
- Baseline security requirements: PCI DSS enforces a minimum-security baseline for any organization handling credit card transactions. Similarly, telecom operators are being urged to adopt fundamental security measures, ensuring robust defenses against potential cyber threats.
Why the new guidelines matter
The need for stronger telecom security isn’t just a theoretical concern—it’s a growing priority for governments and regulatory bodies worldwide. Major telecom providers, including Verizon, AT&T, and T-Mobile, have faced increased scrutiny from lawmakers. With legacy telephony infrastructure proving difficult to secure, industry leaders must recognize that this issue isn’t going away.
While formalized, enforceable telecom security regulations may not yet exist, history suggests they are coming. Much like PCI DSS evolved into a mandatory compliance standard for financial transactions, we could see similar frameworks emerge for telecommunications. Proactively aligning with structured security standards now could help operators stay ahead of future mandates while fortifying their networks against current threats.
What telcos can do now
Rather than waiting for regulatory enforcement, telecom operators should begin treating security guidelines with the same rigor as established compliance frameworks like PCI DSS, CMMC, or FedRAMP. These key steps are recommended:
- Closely monitor configuration changes.
- Enforce rigorous access controls.
- Automate security processes to detect unauthorized activities.
- Align efforts with standards like the PCI DSS to draw on proven methods to bolster their defenses.
- Implement structured security controls based on existing industry best practices.
- Conduct regular security audits and assessments to identify vulnerabilities.
By taking a proactive approach, telecom providers can protect their networks, reduce the risk of government intervention, and demonstrate leadership in securing critical infrastructure.
For organizations seeking guidance on implementing structured security programs, experienced compliance professionals—such as a QSA—can provide valuable insights and support.
