Cybersecurity Bigger Concern to Some Telecom Executives Than Surveillance
DALLAS -- Cybersecurity is a bigger data protection concern to some telecom executives than government surveillance, with IoT security a growing issue, and outsourcing of high-tech manufacturing a vulnerability. Speaking at a Telecommunications Industry Association breakfast Wednesday, executives from Cisco, Ericsson and XO Communications said cybersecurity should be emphasized at U.S. companies, which should get security assurances from vendors, contractors and subcontractors. International coordination also was recommended.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Companies can be transparent on privacy and security issues by showing source code to customers and being upfront about government surveillance, speakers said. Some said there's too much anxiety over surveillance, and that can obscure the more pressing need to do more to protect systems from data breaches and limit their breadth when they occur. Companies that emphasize security organizationwide have a better chance of limiting the impact of data breaches, said executives including Ericsson Cloud Security Head Stefan Jung. "Enforce a security-aware culture at your company," he said. "It can't just be your security or IT department thinking about this," moderator Chad Pinson, Stroz Friedberg managing director, summed up Jung's remarks: "Everybody needs to."
More international cooperation is needed on data security, executives said. But they said industry can't look to governments or international bodies like the U.N. to entirely solve cybersecurity problems. There has been "more coordination between countries in going after bad guys" but that's often linked to nations' own data security concerns, said XO Chief Operating Officer Amador Lucero. "Look in the mirror to protect yourself" and also at a company's partners, he said. The World Economic Forum has been a venue for cross-national dialogues on cybersecurity, but big bodies "move very slowly" and more progress is needed, said Cisco's Bret Hartman, Security Business Group chief technology officer. "This is very much a geopolitical issue."
The heightened attention to surveillance can overshadow more important cybersecurity issues, panelists said. While encryption is good, many breaches have occurred not because a cryptographic algorithm was broken but because a back-end database was penetrated, Hartman said. "The intrusion was at an enterprise, it had nothing to do with all this surveillance anxiety here." Such breaches are "the true reason why our privacy has been compromised, and much of this information is floating around all over the world," he said. "That's the reality of privacy today. And the issues around surveillance sometimes distract us."
The spread of the IoT to more devices coupled with the need for many companies to share data, movement of information to the cloud and outsourcing are a recipe for data breaches -- or at least user name and password compromises, the experts said. The IoT has been among the focuses of the conference, with other speakers Wednesday saying their networks are expanding connections to machine-to-machine devices (see 1506030021). Jung recommended moving data protection with the flow of that information, by tracking and locating it as it moves, even though such tracking theoretically could be abused. "From a security perspective, we need that level of instrumentation," he said. The cost benefits of outsourcing bring security risks, he said. "You don't have that assurance, that proof of who has interacted with your data, who is manipulating it in the worst case."
Security in the cloud is imperfect, some speakers said. "You're right, it's not a solved problem," Cisco's Hartman said in response to an audience question from an XO employee. It's possible to monitor the cloud for security, Hartman said. "There is no such thing as a perimeter anymore" for security, he said. "The only way to do that is to have distributed points" of protection for data, he added.
With no "100 percent guarantee" that user names and passwords won't be compromised, companies should surveil their own data to see where it's accessed, XO's Lucero said. "You also need to self-protect" networks and data, he said. "Think about how you share your data, where you send it; you might consider protecting yourself from the man in the middle." And IoT-connected devices "are not particularly trustworthy," Hartman said. "We can't trust those end-point devices and never will be able to." That some IoT devices are inexpensive and may never be secure means those products need to be monitored and -- if suspicious activity occurs -- be shut down, he said. "There is a shift in terms of security right back to really looking at behavior and being able to block traffic ... if your robot looks like it's acting crazy, to shut it down."