FORT LAUDERDALE, Fla.—The young woman in the brown uniform looked at me suspiciously. “I need some photo identification,” she said. I glanced at her shoulder patch showing that she was with U.S. Customs and Border Protection and handed over my passport. Once she saw the document and confirmed (apparently to her disappointment) that I did, indeed, look like my photo, she motioned me through the gate in the security fence.
This was the first time I could remember when I’d had to get past customs just to enter a convention center, but I decided that it must mean that the people putting on the Competitive Carriers Association annual meeting took security seriously. This was a hopeful sign, since I was presenting a panel discussion on security for mobile devices. Later, I would find out that the presence of the Border Patrol was unrelated to the conference—the city of Fort Lauderdale had changed something about entering their port, thus the security.
The topic of the panel discussion I was moderating was “Security Works Both Ways: Helping Your Customer Stay Secure,” which was intended to cover how carriers and providers of infrastructure need to work with their end users because security is a common requirement. This panel turned out to be remarkable for two reasons. The first was that we stayed on topic, which is unusual.
The folks who came to see what we had to say were, in fact, very interested in the issue because it turns out that security issues that reach their customers also affect the companies. Some of the effects can be significant. For example, if malware makes a device on their network turn an endpoint into a bot network client, the carrier’s network could suffer from the vast traffic load, but also by having its traffic to other networks blocked.
But, of course, things like malware aren’t the only problem, as one panelist, my friend David Gewirtz, said when he pointed out the second remarkable thing. “Never underestimate the efforts of your users to overcome your security,” he said. Gewirtz then told about one instance in which one of the first things a user had done, when issued a smartphone, was to try to eliminate all of the security protection.
Fortunately, not every end user actively works to defeat your security, but that doesn’t mean security of mobile devices is simple or easy. In fact, the nature of the devices, that they’re inherently in an insecure environment, adds to the complexity of their security overhead. Not only do you have to worry about malware and hackers, but you also have to worry about them being lost.
The security issues go on from there. One audience member talked about a security problem that presented unexpected challenges to the small rural carrier for which she worked. There, the problem was that someone in Jamaica was calling her customers and leaving messages promising big rewards and then leaving a phone number.
When the customer called back, it appeared to be just another call from an unfamiliar area code, but what actually happened was that the particular area code was part of a scam. Calls to it seemed to be calls within the United States, but instead were to a specific area code in Jamaica where long distance calls from the states were charged at a rate of hundreds of dollars per minute. Those customers obviously wanted their carrier to help them cover the costs, creating a financial risk to the carrier.
Mobile Security Is the Responsibility of Everyone in the Data Chain
This caused a difficult problem for this carrier, but the same problem exists for all carriers who have to balance their requirement to pass all traffic against the risk that some of that traffic might cause. In this case, the carrier instead intercepted calls from its customers to that Jamaican area code and let them know that they were about to incur substantial charges.
The remedy in this case was effective since the scam preyed on the fact that most telephone users aren’t able to tell whether an area would have such a high cost, but security remedies aren’t always so easy to fix. For example, carriers still have to deal with platforms that aren’t secure and can’t be made secure, and thus open themselves to problems caused by their users, even if they had nothing to do with them.
That illustrates the new interdependence between carriers, infrastructure providers and customers. There is no single place where security resides. Carriers must take some role, if only because they will reap some of the consequences. Likewise, users must have a role, if only because it’s their information that will ultimately be stolen or their phone that will become part of a botnet. And infrastructure providers, whether they’re building the networks or the devices, must be part of the solution because this is where the data, good and bad, resides.
Because of this, security becomes an effort by everyone in the data chain. And without everyone, security becomes impossible. Even with everyone’s help, it’s still nearly so, but there is a chance for a good outcome.