-
Regulators in the U.S. and E.U. began cracking down on cybersecurity in 2023 with the passage of several new rules
-
Ericsson predicted even stricter enforcement measures will follow in 2024
-
The vendor expects an even greater focus on full stack security in the coming year
Regulators will be tightening the security screws in 2024, Ericsson predicts, building on a rise in regulations and legislation seen across the globe this year.
According to Ericsson Security Solution Manager Hsin Yi Chen, regulators are showing a “full-stack” focus on modernizing security infrastructures, from the security of the product development itself to upper levels like security operation and deployment — and that looks different depending on how old the technology is.
“[In] cloud security, we are already in the new era, where zero trust or security-by-design is embedded,” Chen said, but regulators are “also focusing on the old technology, the legacy ones like the OT technologies… They're putting focus and enforcement to advance legacy products’ lifecycle security management.”
That focus extends to IoT technology, she added, which has had fewer security measurements as a newer concept. Chen predicts more guardrails and investments will emerge around IoT in 2024 — as IoT malware attacks shot up a staggering 400% in the first half of 2023 compared to 2022, according to Zscaler’s 2023 threat report.
“These IoT attacks, a lot [are] generated from the insecure usage of the IoT product,” she described, listing default passwords and default configurations as “breaking point” paradigms of IoT breaches. “They're also on the upper level [of the stack]. During the operation of those products, they should be operated in a safe manner.”
From legacy to IoT, Chen said that customer conversations across Ericsson’s many involved markets continue to look to the U.S. and European Union (EU) to trailblaze the landscape of cybersecurity as the regulatory hammer comes down even harder in 2024.
Laying the groundwork
Chen said 2023 was a year for laying down the law in the cybersecurity realm. Already, the U.S. Securities and Exchange Commission (SEC) adopted rules for risk management, governance and incident disclosure from public companies — adding to a growing list of laws and regulations (dependent on the state) making headway this year.
The European Commission proposed the EU Cyber Solidarity Act to improve incident detection and response preparedness across the EU. Around the same time, it moved for an amendment to the EU Cybersecurity Act adopted in 2019, proposing regulations on “managed security services.”
The EU also brought in the NIS2 Directive — an update of the original NIS introduced in 2016 — to reinvigorate efforts for improved cyber resilience across critical infrastructure and essential services. Yet many organizations remain underprepared to comply with NIS2 just a year before it comes into force, according to a survey from cybersecurity company Sailpoint.
Chen told Silverlinings that the company’s customer base has provided visibility into these different markets, both in terms of where they are in their network security developments, as well as the impending rules they face.
The telecom vendor’s $14 billion win over Nokia to help AT&T with its open radio access networks (RAN) deployments represents an “advanced” example of where operators might be on their network journey, Chen said, noting the open architecture comes with a much more complex security environment. Still, their customers on the other end of the spectrum also show increasing mindfulness of these forthcoming regulations being “put in force in 2024.”
Security is all about risk reduction, she explained. “It's always hard to put the money on top of security and justify security investments.” But now — from formidable fines to C-suite accountability — regulators “are really putting the fear [in] operators” to take a hard look at their compliance calendars.