A year ago, the UK government simulated a total outage of its entire national fixed and mobile communications infrastructure as part of a cyber-defense exercise called "White Noise." Other governments will follow suit as they accept the new reality that while computing and broadband communications have boundless potential to liberate human beings and enhance our lives, large-scale failures or distortions in the way these technologies are used also have the potential to do great harm.
Today, the most severe cyber attacks tend to rely on either the wireline access network as a conduit, or on manual, off-net delivery mechanisms such as USB sticks. Connected PCs were used to deliver the attacks on Estonia, Georgia, and Google, but USB sticks were used to deliver the "Stuxnet" virus to the Iranian power plant, as well as the malware that penetrated US military systems in 2008.
Mobile networks have tended to remain in the background of the debate surrounding cyber security, certainly so far as the most high-profile attacks are concerned. Even so, the last 12 months have seen notable attacks on mobile broadband networks. There was the brute-force attack on AT&T Inc. (NYSE: T)'s iPad users, which resulted in users' contact information being stolen. There was the discovery by Vodafone España S.A. that 3,000 of its HTC Magic devices had the Mariposa Botnet malware installed on them via the phone's memory card. And there have been a number of reports of malware resulting in theft of money or information from Symbian Ltd. , Apple Inc. (Nasdaq: AAPL) iPhone, and Android smartphones.
Depending on exactly how you calculate it, the number of mobile broadband subscriptions worldwide will exceed the number of fixed broadband subscriptions some time either this year or next. And as that transition occurs, mobile network security will emerge as a major market opportunity for infrastructure vendors.
As with any other kind of security, mobile network security requires a multi-layered approach. The operators themselves need secure operational practices; users need educating; handsets and their operating systems need protecting; and the network infrastructure needs securing. Security in the mobile network infrastructure can itself be segmented according to multiple different layers, by domain, the access, backhaul, and core. From an OSI perspective, the network and application layers have their own unique security requirements. And from a deployment perspective, security can be achieved by enhancing the inherent security of the primary network infrastructure elements themselves, as well as by deploying dedicated security products.
As shown in my new report, "Next-Gen Security Strategies for Mobile Network Infrastructure," Nokia Networks and Huawei Technologies Co. Ltd. are first out of the blocks in repositioning themselves as leaders in enhancing the security of their products. Driven by concern on the part of governments in key markets such as the US and India that its products may harbor security vulnerabilities introduced by Chinese government agencies, Huawei has embarked on what one of its executives calls "the world's leading transparency program" relating to its product security. And having seen Huawei grow from a startup to a toe-to-toe equal in mobile infrastructure in just a few years, NSN has identified security as a key part of its strategy for differentiating itself not only against Huawei, but also against Ericsson AB (Nasdaq: ERIC) and other competitors.
For vendors, securing their primary infrastructure requires a focus on three specific things. The first is the product development process – protecting their products against the introduction of benign or malign vulnerabilities through strict monitoring of the development environment and incorporation of market feedback on emerging vulnerabilities. The second is product design features – for example, the ease of patch implementation, support of transaction logs, the level of automation in compatibility testing, and investment in trusted computing silicon. And the third is support for security features in the primary infrastructure that protect both the network and the end user. These include standards-based features such as the 3rd Generation Partnership Project (3GPP) 's encryption algorithms and the new security features associated with IPv6. They also include potential integration of firewall and DPI capabilities into primary network infrastructure products as an alternative or complement to supporting them in dedicated security elements.
Mobile operators are inevitably going to start paying more attention to securing their networks against cyber attacks. And rather than just piling on layer after layer of dedicated security products and solutions, smarter operators are going to start from the ground up by looking to get better protection from their primary network elements. Security-related issues are therefore bound to feature more and more prominently in RFQs. NSN and Huawei are the first of the big primary infrastructure vendors to really understand this – and the need to start communicating around it. Expect others to follow suit.
— Patrick Donegan, Senior Analyst, Wireless, Heavy Reading
For more information about Heavy Reading's "Next-Gen Security Strategies for Mobile Network Infrastructure," or to request a free executive summary of this report, please contact:
- Dave Williams
Sales Director, Heavy Reading