CTIA's View of Mobile Security
Some of what the new paper has to say is pretty familiar, even predictable, to IT security professionals. "Enabling cyber-security cannot be achieved by following a set list of mandated criteria," as the paper argues, is a common appeal to law-makers not to second-guess network security experts by setting security requirements in stone, but rather to give these professionals the flexibility they need to be adaptable in a permanently dynamic threat landscape.
The CTIA paper also recognizes "the futility of a single fix" for mobile security – another key principle in any security strategy, and one that security solution vendors would do well to adapt to their marketing messages when selling into CTIA's mobile operator membership. No matter the caliber of a given security solution, it's never a silver bullet. Neither does it operate in a vacuum – so how does the monitoring, detection or mitigation solution it provides correlate with the rest of the operator's security environment?
CTIA advances the licensed cellular spectrum interests of the mobile carriers throughout the paper. Consumers are urged to "avoid using unknown Wi-Fi networks" and "use public Wi-Fi hot spots sparingly" as part of an extensive list of dos and don'ts pitched at the end user. Indeed, while stressing the importance of every player in the mobile value chain playing its part in enforcing security, the paper nevertheless states that "the most important players by far are the end users and consumers. Why? No matter how comprehensive a cybersecurity apparatus is maintained, consumers and other end users must ultimately take responsibility for their actions."
Any industry association paper of this kind can be as notable for what it doesn't address as for what it does. So while Secretary of Defense Leon Panetta generated headlines around the world earlier this month when he stated that the U.S. is vulnerable to "a cyber Pearl Harbor" that could "paralyze and shock the nation," CTIA's focus in its mobile security paper is on the lower-octane, but ultimately more pressing issues of protecting consumers and enterprises from financial scams, theft or leakage of private information and the integrity of their mobile devices.
Hence the CTIA paper accurately reflects the reality that Verizon Wireless et al. are nowhere near the top of the list of targets pawed over by the kinds of nation-state-supported cyber-warriors that keep Panetta up at night. Even if they were, if the high-profile outages at Telenor, Verizon Wireless and O2 have taught us anything in the last year or two, it is that – for now at least – benign errors made by a vendor or by an operator's own operations team are a lot more effective than malicious security attacks when it comes to triggering outages in a mobile network.
The paper is necessarily diplomatic, emphasizing the need for collaboration rather than finger-pointing. On smartphone security, for example, CTIA states that "no platform is perfect," a sentiment that many security professionals in the mobile operators can be heard to utter as well, albeit less generously, and with the use of considerably more robust, colorful, even hair-raising language. From my research in this area, it's not just the security of the operating systems that needs improving; it's the length of the OS vendors' commitments to security-patch specific releases, the coding of many mobile applications and the tendency of some smartphone vendors to cut corners with security in order to enhance the performance of applications.
There's plenty in this paper for raw technology enthusiasts. The section on encryption, for example, warns that "there are as many standards for the encrypted transit of data as there are touch points within networks. Responsibility for these standards can range from the application itself to the device, the transport, the core, the cloud, etc. and careful attention is needed on the interweaving of these standards." That "careful interweaving" is indeed one of the major challenges that leading mobile operators are wrestling with now – for example, as they deliberate whether or not to use IPsec encryption of traffic on the S1 interface in the LTE network. The paper also points to the potential of two-factor authentication, an approach that Microsoft has just endorsed with its acquisition of PhoneFactor.
Perhaps the most important strand in the security strategy articulated by CTIA in the new paper, though, can be found in the section on "Expanding Cybersecurity Defenses." Here CTIA states that "delivering advanced security is a defensive necessity for maintaining operations, but it's also a tremendous offensive asset as a competitive differentiator and overall engine for growth."
There is a lot more to this statement than perhaps meets the eye. Earlier this year, in comments that were barely picked up at all in the press, Randall Stephenson, chairman, CEO and president of AT&T, spoke at the Milken Institute about the next wave of growth in mobile broadband services and applications. Among the two he highlighted, in particular, were mHealth and mCommerce.
Stephenson talked about what the "long pole in the tent" is going to be in terms of actually capitalizing on those huge new opportunities for the mobile industry. "The long pole in the tent isn't going to be the technology, it isn't going to be the buildouts," he said. "The long pole in the tent is going to be getting the ecosystem to be robust in protecting data and making sure you control who sees the data, how it's shared and how it's transmitted." As the new CTIA paper explicitly recognizes, that's where the mobile industry's security focus needs to be.
For more on CTIA's views on cybersecurity, John Marinho, VP Technology & Cybersecurity, CTIA, will be speaking at Mobile Network Security Strategies: New Threats, New Opportunities, Light Reading's first ever one-day conference on mobile network security, in New York on November 28.
— Patrick Donegan, Senior Analyst, Wireless, Heavy Reading