se

ct

or

19In

fosecu

rity Tod

ayM

ay/June 2006

Earlier this year German scientistsworking with Fujitsu transmitted a

data signal at 2.56 terabits per sec-ond, the equivalent of 60 DVDs/s,over a 160km link.This doubled theprevious five year old record and is50 times quicker than the fastestcommercial high speed links, nowaround 40 Gbits/s.A little later, follow-ing his reverse take over of cable TVcompany NTL,Virgin boss Sir RichardBranson outlined his plans for a newcommunication s service.This will in-troduce a single bill for access to anduse of telephone service, mobile te-lephony, broadband connection tothe internet, and television. In trueBranson style, he suggested the Virginservice be called 4Play.

These moves are the more visiblefoundations of an unparalleled integra-tion of content over a single communi-cations connection. Less obviously, sci-entists are starting to unleash a newbreed of objects, typically tiny sensors,that detect changes in ambient condi-tions and communicate them (wireless-ly) to a controller for analysis and re-sponse.The net result is that, to coin aphrase, Big Brother may be watchingyou, but only so that he knows whento deliver what you want.And whatthat is, is a $64 billion question.Researchers at Finland's VTT TechnicalResearch Centre explored the infosecu-rity aspects specifically of digital televi-sion.They say,:“From the informationsecurity management point of view, theinterconnection of the different sys-tems, and understanding the whole en-vironment are very challenging, andhave not yet been solved.”

However, Robert Temple, ChiefSecurity Architect at BT argues thatthere are “no insurmountable technicalor engineering security issues in theway”. He points to the scores of veryactive standards-making bodies that arestriving to build the technical founda-tions for a trustworthy environment.“We've got all the technical standardswe need,”he says; it's who is going totake the commercial plunge.

Temple reckons the market will ‘fed-erate’. In addition to traditional net-work operators, content providersfrom movie studios and record compa-nies to publishers and search enginefirms are starting to jostle for positionwith search engine and network opera-tors.Transaction-based firms such asbanks, credit card companies and retail-ers could enter the fray. It is not incon-ceivable to see AT&T tie up withGoogle,Time Warner and Visa, or BTwith Yahoo, Newscorp/BSkyB andMastercard. Such alliances could makecommercial sense.And there is little tostop them except corporate egos, an-titrust lawyers in Washington andBrussels, and consumer distrust.

State of playThe InternationalTelecommunications Union estimatesthat the world spent $1,248 billion ontelecommunications services in 2004.

That was up 11% on the year before.According to the latest market assess-ment from the European Commission,last year the total EU market for com-puters and networking grew about4% to �614 billion, of which 44%(�273 billion) was for 'e-communica-tions'.Adding content and service rev-enue streams would raise these fig-ures dramatically.

The key market driver is the rate atwhich companies and end users takeup broadband connections.The ECsays there were nearly 53 millionbroadband lines in Europe last year, arise of 20 million over the year be-fore. Market penetration now aver-ages 11.5% compared to 7.3% in2004. Network operators' capital in-vestment, estimated at �45 billionand rising, ensures that penetrationrates will speed up.

Churchill said, "Give us the tools and we will finish the job." We havethe infosecurity tools, but the job of managing infosecurity in an age ofconverged digital networks is only just beginning.

Telecoms – convergencechallenge

Ian Grantian.grant@innovations.eu.com

"We've got all thetechnical standards

we need."

BT’s Robert Temple: all technical standards are in place

Se

ct

or

20In

fosecu

rity Tod

ayM

ay/June 2006

For network operators, the key met-ric is average revenue per user (ARPU).Traditional fixed line voice telephony isstill the main source,worth some �85.8billion in 2005.But it is dropping at anaverage of 1.6% a year.This is due partlyto incursions by mobile telephony op-erators; voice over the internet protocol(VoIP) will accelerate the decline. Skypealready claims its proprietary PC-basedpeer to peer VoIP service has over100m users.European mobile marketpenetration rates average 93%,butsome countries are now over 100%.

ARPUs for both fixed line and mo-bile network operators have stalled. Inthe UK, the telecommunications regu-lator Ofcom, has just licensed 11 firmsto provide mobile (GSM) 'picocells'.From next year the cost of making amobile call from a picocell equippedoffice will drop dramatically. Moreover,the European Commission wants oper-ators to slash the cost of cross-bordermobile calls, currently about 10 timesthe cost of national mobile calls.

Existing network operators are there-fore anxious to find new revenuesources. For most, this means addingservices and down loadable productsto their offering. By and large this re-quires changing the basic networkingtechnology from circuit switched, thetechnology of the telephone, to packetswitched, the technology of the inter-net. It also means forming alliances orcompeting with providers of networkenabled services and/or own copy-righted content. Until now, these weremerely customers.

Most operators are already respond-ing. BT will trial its IP based 21st centu-ry network in Wales this year, withcommercial switchovers from nextyear. Last February mobile operatorsVodafone,T Mobile, Orange and otherssaid they will introduce HSDPA (HighSpeed Down link Packet Access) this

year or next.This will allow them topump data to cellphones at between1.8 and 14 megabits/s. Soon to followare equivalent transmission speeds inthe reverse direction.

These speeds make possible smooth,high resolution, realtime TV to and fromyour cellphone,or laptop,or P.A.Interactive digital TV is currently theperceived Holy Grail,partly because ofthe advertising money that goes into TVand the potential to add transactions toads,but also because their present pric-ing model charges for bits delivered,and digital TV is bit-intensive.However,Baby Boomers' kids are less addicted toTV than their parents.They may spendmore hours with the TV on,but oftenthey are using their cellphones, IPOs orPCS concurrently.As a result, adspendfor TV is falling while adspend on otherdigital formats is rising fast.

Intelligent environmentJust creeping over the horizon arenetworks of 'picocomputers' which,when networked together, will createan 'intelligent ambient environment'.The first concrete manifestation ofthis is the proposed replacement ofthe barcoded label, the RFID tag.Thetag uses low power radio in either ac-tive or passive mode to transmit infor-mation about itself or its environmentto nearby receivers.

Some believe these units will be-come ubiquitous.The most obviousapplications involve identity authenti-cation, monitoring ambient condi-tions, and transactions, often in com-bination.

The biggest problem is that all theseunits, and mobile terminals, use theelectromagnetic spectrum. Spectrum isa finite resource, subject to heavy regu-lation and penalties. Most of it is al-ready earmarked for applications suchas TV broadcast, emergency transmis-sions and the like, leaving little spacefor new applications.

The useable spectrum is finite, soresearchers are exploring other op-portunities.The US regulator, theFederal Communications Commission(FCC) found that some 70% of all allo-cated spectrum may be unused at any one time.This has prompted researchers to consider 'cognitive ra-dio'.The idea is to make transmitters

that listen to the traffic, figure outwhich frequencies are quiet, and thenswitch to them.The snag is that fre-quency changes must be synchro-nized if the receiver is to keep thesignal.The military has had frequencyhopping radio since the 1970s for se-cure, unnameable battlefield commu-nications, but so far it has not caughton for commercial applications.

Who owns the customer?However, BT's Temple notes the realquestion is who owns the customer?Terminal devices are increasingly cus-tomized to accommodate the user'spersonal needs and desires. Productchoice is presently how users gainthe desired personalization. But costand logic suggest that in future per-sonalization is more likely to be afunction of the SIM card.

Until now, cellphone makers haveworked with mobile network opera-tors to roll out new features. However,the switch to IP based traffic is likely toweaken those links. In some countriesusers can already make financial trans-actions using their cellphones, with thecost of the item debited to their cell-phone account.As a result, some banksare issuing bank branded cellphones.

It is a small step technically to usethe information on the SIM card toauthenticate the user to the net-work, to the vendor, and to the bank.This makes the SIM in effect an IDcard.Taking this further will be

"The interconnectionof the different

systems and understanding thewhole environmenthave not yet been

solved."

“Looks like real-time TV to mobile devices is not far away”.

se

ct

or

21In

fosecu

rity Tod

ayM

ay/June 2006

tough because all the players wantaccount control,Temple says.

Although the cellphone improvesconvenience all round,widespread takeup is likely to be governed by the trustthat account holders place in everyone(and everything) in the value 'net'.

The VTT researchers say "The mostimportant factor is the customer's

trust in the service and its provider.The enterprise's reputation, in addi-tion to costs, is important from theend user's perspective when select-ing the service provider."

Referring to digital television, theysay:“For the time being, the applicationenvironment has been restricted andstrictly under the control of the digitaltelevision network operators andbroadcasting channels because the ap-plication comes within the programmesignal.This is going to change due tothe emergence of MHP version 1.1,(which enables) applications to beloaded via the return channel.”

Shifting to IP and terminals with da-ta storage opens them to the hazardsof the internet.As Temple notes, asthe value of transactions and informa-tion on the networks rises, so it islikely to attract better financed, betterorganized and more motivated badguys. Potential new threats include or-ganized crime gangs, terror groupsand hostile states.

The DoS-resistant working group ispart of Cambridge-MIT Institute'sCommunications Research Network,which is researching ways to preventattacks.At its inaugural meeting inJanuary 2005, delegates from 50 inter-ested concerns, including the militaryand intelligence communities, heardthat botnet-based denial of service at-tacks might drain up to 3Gbit/s band-width from the networks.“Alarminglylow amounts of traffic suffice for caus-ing damage,” they heard.This could beas little as a few hundred bots for staticweb pages, dynamic pages and SSL, oreven a few dozen if fired rapidly; SYNscans and bandwidth are vulnerable toanything from a dozen to a few hun-dred attackers. Botnet attacks by up to80,000 nodes were reported.

Current defensive measures includesecuring the core; responding to the in-cident through preparation, detection,classification, trace back, containmentand post-mortem analysis. (For a fullertreatment see http://communication-sresearch.net/dos-resistant/meeting-1/cii-dos-summary.pdf.)

The consensus at the meeting wasthat future defensive architectures arevery hard to predict and build.This isbecause no-one is responsible for it.Furthermore, fixed security standards

could inhibit innovation of profitablenew products and services.

The group planned to set up a reg-istry of attack profiles and attacktypes to track trends. It also hoped toclassify attackers' motives. It plannedto draw up a registry of defence tech-niques, a 'standard' picture of the net-work at any point in time, and to co-ordinate responses to attacks.

As they noted, end users cannot domuch against DoS attacks, so the needis to deal with such attacks as far up-stream as possible.This requires coor-dination at network level and securityregarding specific responses to slowwhat Temple calls the arms raceagainst the hackers.

Even so, infosecurity means differentthings to different people.As the Finnsnote, the emphasis on threats varies inseverity and solutions in different partsof the value net. Content producersworry most about unauthorized useand distribution of programs or othercontent. Network operators worry thaterroneous content will affect terminaldevices and/or users' data and applica-tions. End users' concerns are primarilyinvasion of privacy and identity theft.

Up to now, companies like Googleand eBay have shown staggering suc-cess, despite the infosecurity hazards.In future, the risk-reward ratios forusers are likely to change for theworse. Unless everyone in the valuenet, including the justice system, co-operates, end users are unlikely totrust the system as much as theyshould.Without that trust, despiteglobal networks, the world will be-come a very small place.•About the authorIan Grant is a freelance writer onbusiness issues.

"From the enduser's perspective,

the enterprise's reputation is mostimportant when

selecting the serviceprovider."

New network; same worriesChief security officers who plan to use BT's new IP-basednetwork, the so-called 21stCentury Network, need towork on their policies now because things are going to get complicated.

BT aims to test the new all-digital net-work in Wales in November this year. If allgoes well, it will start cutting over cus-tomers, 50,000 at a time, in 2007. Theaim is to migrate everyone within two orthree years.

Technically, the new network won't carewhat content it carries, as long as it isdigital. For CSOs it means that all the haz-ards of the internet might now affect oth-er forms of communication, such as tele-phone calls and transaction data.

BT's chief security architect, RobertTemple, says the present internet and oth-er services such as fax and data run onnetworks overlaid on the existing circuit-switched network. This is optimised fortelephone calls.

The new network means that each servicewill run in its own 'logical domain', saysTemple. “Each will have its own securityin its own domain.”

Temple warns that end-to-end security is amatter of 'partnership' with the customer.“There is no substitute for good hygieneat the customer level,” he says.

“We may do more as the network ma-tures, but customers will be wise to usefirewalls, end-point authentication, thelatest patches and operating system up-dates, and the like.”

This suggests that, in the short term, BTand other IP network operators are moreconcerned to stop people from accessingservices to which they have not sub-scribed. But bundled offerings such asNTL-Virgin's 4Play are likely to becomestandard very quickly.

“BT faces a competitive market,” saysTemple. “The commercial model must makesense. At present there's no logic in doing alot of anti-virus etc. in the network.”

But with carriers like BT hungry for newsources of revenue, watch this space.