The noose is already round your neck!

 

By Simon Woodhead

In ye olde days, when punishment by hanging was a thing, life wasn’t fun but there was one positive (beyond being there to witness one of our competitors’ last maintenance windows!). Being imprisoned, led to the gallows to the sound of jeering crowds, having a hood put on and feeling the noose put around your neck – all clues that the end was nigh. You were in no doubt what was in store for you, I imagine.

As we digest the Telecom Security Regulations, or more recently, the technical guidance put out by DCMS, we’re concerned. I don’t go in for drama or evocative metaphors normally but, quite seriously, we’re witnessing the dramatic reshaping of an industry. I’d go as far as to say that, due to the extensive, onerous requirements being imposed, you’re on the gallows and the hood and noose are in place. But you’re completely unaware. There’s no jeering crowds, you haven’t been imprisoned, but life is about to change forever and for many it’ll end. 

We don’t disagree with the stated aims of the TSRs and have espoused on many occasions about the overly amateur approach to infrastructure and security and rather casual relationship with integrity exhibited by so many across this industry. There are many solutions to that but, put very simply, putting the majority of players in the market out of business because the largest chose to riddle their network with cheap Chinese gear, is not one of them. 

A cynic might say that DCMS had looked at the historically lauded success story of UK telecoms, with hundreds of competitive players (we’d disagree with ‘competitive’ there but that’s for another day), and decided that the European and US model of having a handful of mega-corps is greatly preferable. It works in banking; it works in weapons sales; and it works in pharmaceuticals. So why not Telecoms?

We see the endgame to be exactly that. Rather than hundreds of operators, some running networks, others being various flavours of value-added resellers, we see the world morphing to be larger networks and dealers. Resellers may see becoming a dealer as a very subtle change but in reality as a dealer the customer is no longer yours, the order form is no longer yours; you’re an affiliate introducer not a “carrier” as many describe themselves. Where it really bites though is in the ISP/ITSP space, those who own and operate some level of infrastructure, and originate their own service.

In reality, if you choose to carry on as you are, you’re going to need a Compliance function and robust processes and manpower to manage the security posture of your infrastructure. Think GDPR was bad? This is GDPR x 10. Those companies who have built and innovated, i.e. done everything we love, have a rude awakening coming, unless they’ve reached scale enough to buy in resources to manage this stuff. 

To give you one small example: when the draft DCMS technical guidance was published we had a phone call internally here to try and make sense of some of it. We’ve long maintained that customers should come on-net, cross-connect locally or use an IXP to reach us rather than the public Internet. However, the guidance so far suggests that isn’t anywhere near enough. It is debatable (and we had this debate for many hours) whether a direct cable in a data centre requires encryption which by consequence means our own optical waves between data centres probably do, and others using flavours of MPLS or layer2 connectivity (including over our network) most definitely do; perhaps cross-connects within our own racks do too? And don’t think that it’s just voice; on first reading ISPs and IXPs need to identify and block unencrypted traffic in all forms. That is just one example of the potential scope of this thing.

Of course, some still have their network riddled with Chinese gear but have the rest of the capital cycle to replace it with no penalty. They also have processes which are an abysmal security hazard. I say that having had to fire up an old Windows VM with all security settings turned down just to be able to fill in one of their God forsaken ActiveX-laden spreadsheets! Their own firewall will reject it as a virus of course, so their advice is to zip it before emailing! You seriously couldn’t make it up and they’re going to really struggle to comply in our opinion. However, it is very different coming from a position of ‘too big to fail’, a member of the oligopoly, and being intended to have a seat at the table, versus being a non-compliant little gnat buzzing around and best squashed!

We’re far closer to the gnat end of that equation than being welcome around the table, but we have a duty to survive and believe we are in quite a unique position to do so. For one we’re vertically integrated from our own owned network (an actual one, not an ‘award winning’ pretend one) through varying flavours of commercial offering that fully accommodate the changes, subject to our customers deciding where they want to be. It may be you wish to maintain some of your infrastructure but outsource certain obligations; it may be you decide you don’t want any infrastructure or obligations but do want to retain branding and customer ownership; it may be you just want to sell and have no responsibility at all! We have all those covered – pick up the phone to talk to us.

I don’t like putting out what some would call FUD. In fact, I hope I’m wrong on the trajectory we’re on, and would welcome being so. However, you need to think about your business and what it potentially looks like in 5 years time. We can help, but you need to want our help first. I strongly encourage you to look at what’s coming as early as possible.

My colleague Pete Farmer simultaneously wrote a variant of this blog with more in the way of actual examples. We’ll publish it as well in a few weeks.