Telecommunications providers are giants targets for cyber-attacks because they are hubs for digital traffic. Which is why they have to shift from being reactive to proactive, a telecom conference in Toronto was told Monday.
“Why?” Vivek Khindria, Bell Canada’s director of information security, asked rhetorically. “Because it’s cheaper, you can retain staff more easily, you can predict your budget better, and you’re more in control.”
According to Khindria, many if not most major companies – including telcos – experience hundreds of attacks every hour, ranging from simple port scans to the multi-gigabyte DDoS attacks that grab headlines. The answer, he believes, is a “control maturity program” that maps the state of an organization’s actual security capability against the kinds of possible threats and then lays out a strategy for getting the security to where it needs to be.
The rise of cloud computing brings added complications, Khindria said. “It’s not a simple cloud anymore – you have layers of clouds, clouds of clouds, hybrid clouds, internal clouds – and in some newer forms they can go six levels deep. It’s a huge challenge to maintain security in this environment.” Older forms of signature- and pattern-based security – your grandfather’s desktop antivirus software – is still needed, but it’s dwindling in importance, Khindria said.
He was speaking on the first day of the annual Canadian Telecom Summit, a conference where telcos, Internet service providers, network equipment providers and regulators mix to discuss industry problems and solutions. Khindria was part of a panel on cyber-security.
David Craig, partner at PricewaterhouseCoopers (PwC) Canada, painted a jarring picture of the variance between perception and reality when it comes to telecom security in particular. PwC does an annual survey of 10,000 professionals in a range of markets, but this year it got such a good response from telecoms companies the firm broke out some figures for the sector.
Seventy-one per cent of people in telecommunications believe telecom is doing a good job with security, Craig said. However some top-level execs are markedly less confident. “The CFO is getting very nervous about signing that compliance form,” Craig said.
Telecoms see themselves as in the vanguard of security efforts, given how much personal data customers carry and exchange on smart phones, but Craig pointed out that 20 per cent of telecom execs couldn’t even say whether they’d been attacked.
Marcel Labelle, associate partner with IBM Canada, noted that computer services, government agencies and the financial sector are the most heavily attacked. He said there’s been a huge increase in the number and depth of attacks from 2011, which IBM’s “X-Force” research and development team dubbed “The Year of the Security Breach,” through 2012 and 2013, which saw the “relentless” use of massive, multi-vector attacks.
“The cost of data breaches is going up,” Labelle said. “It rose 15 per cent last year. The average cost of a stolen data record is $145 each, and data breaches involving the loss of sensitive data averaged $3.5 million last year.”
Security has definitely become a topic for C-level executives, who all have their own motives, Labelle said. For the CEO it’s safeguarding shareholder value, for the CMO it’s the threat to customer trust and brand reputation, for the HR department it’s the defence of private, personal information, while for companies developing their own intellectual property the reasons are obvious enough. “It’s a to a compelling argument for why we need to secure corporate information,” Labelle said.
Ron Deibert, director of the Citizen Lab, part of the Munk School of Global Affairs at the University of Toronto, brought up the recent Supreme Court ruling that police can no longer ask for basic subscriber information from ISPs and carriers without a warrant.
“That decision represents one small piece of the emerging picture of getting more information out about how telcos and ISPs routinely share user data without a warrant,” Deibert told IT World Canada after the panel session.
While Deibert, unlike some vocal critics of the federal government, doesn’t believe Ottawa is actually engaged in abuse of power, for him, the issue of warrantless disclosure of private information is an abuse-of-power issue even more than it’s a privacy issue.
“The decision is fundamentally important in that it has found warrantless disclosure unconstitutional,” Deibert said. “Now the government’s proposed cyberbullying law [Bill C-13], and other legislation they’re trying to get approved, will have to be reexamined.”
Deibert believes that the recent voluntary corporate disclosures by TekSavvy and Rogers about how much private information they provide when asked by enforcement agencies, while they don’t go far enough, are critical steps toward getting government to be more accountable for the protection of citizens’ private data. And the revelation by Vodafone that six unnamed countries can demand the full voice content of subscriber conversations, Deibert says, is at least as significant as the disclosures of former National Security Agency (NSA) contractor Edward Snowden.