IBM’s 2007 Survey of SP’s “The State of Security in Carrier Service Delivery” is out and making the rounds of the security trade journals. While surveys like these are obvious marketing tools (i.e. buy IBM’s security consulting services and products), the results are useful data points.
“… 87 percent of the curvey participants indicated that next generation networks (NGNs) will faile without strong security. However, fewer than half of the respondents (46 percent) said their companies had a strategy in place for mitigating security risks posed by NGNs.”
The heart of the problem we face is that most SPs have no clue to the real security risk. It is all perception. As mentioned in past blogs and in Wiki articles, SPs know we have security problems when we move from seperate infrastructure each dedicated to a few services to a converged infrastructure all ridding on one network. Add to that the End-to-End principle of IP based networks and you have a new security challenge.
Like all security challenges, action is not driven by talk. It is driven by risk. Sure there are problems, but are those problems real and actualized risk? Yes, “92 percent said a hacker with “moderate” technical knowledge could compromise IPTV,” but why would a hacker do this? What is the criminal motivation which would lead someone to take down a community’s telecommunications infrastructure? What would happen when half of Tennessee’s homes and business have no phone, TV, or Internet? What would happen when all the “eggs” are in one basket and all a bad guy needs to do is poke at the infrastructure and watch the entire system disrupt?
“If you are not scared yet, you don’t understand the problems!” Mike O’Dell’s shout at an IETF (July 1997) reflects the take away SP Executives need to take with this survey. Moving every service to one network “End-to-End” network opens up risk the telecommunications system has never faced. Executives need to be worried when a packet from one side of the world can impact a network on the other side of the planet, having a network reaction which then impact other networks. That is called loss of business control. Any business which looses control of their business many not be a real or viable business.
So are those “46%” of respondents who said their have no security strategy viable telecommunications businesses? If you are a consumer of telecommunications services, should you ask your provider “what is your security strategy?”