Monday, May 9, 2005

Industry Alliance Focuses on VoIP Security

The Cyber Security Industry Alliance (CSIA) issued a report that recommends Congress consider cyber security issues facing VoIP as it looks to revise the Telecommunications Act of 1996. The report warns that the same qualities that make VoIP such a valuable new option for mass-market voice communications also can lead to quality of service and performance issues, including denial of service attacks, Spam over IP Telephony (SPIT), session eavesdropping and voicemail hijacking. The CSIA believes an extra layer of security infrastructure can help resolve some of these issues, but not all of them. Since voice communication is a key enabler of critical government services operated by national security and emergency preparedness providers, a VoIP cyber attack could lead to serious consequences, such as loss of public access to critical emergency services like 911.

The CSIA also warns of the fallout from a major VoIP attack on other areas of national security, emergency preparedness and Internet fraud/criminal activity. VoIP vulnerabilities could also act as entry points for attacks on the rest of the network, including non-VoIP applications, systems and infrastructures. Some potential fallout examples include:

  • Crippling impacts on the operations of IT dependent critical infrastructures,

  • Potential for weakening the national response capability as part of a blended cyber and physical attack;

  • Loss of revenue for operation stoppages in call centers, order processing and shipping;

  • Theft, erasure, or alteration of business and personal information; and

  • Violations of privacy and confidentiality regulations, possibly resulting in civil and/or criminal penalties.

  • CSIA concludes that cyber security for VoIP is essential for the
    protection of the entire information technology ecosphere and asks that
    Congress consider several recommendations for securing VoIP technologies, including supporting research & development aimed at improving the security and reliability of VoIP as well as defining roles and responsibilities for agencies such as the Department of Homeland Security, the FCC and the Department of Defense.

Members of the CSIA include BindView, Check Point Software Technologies, Citadel Security Software, Citrix Systems, Computer Associates, Entrust, Internet Security Systems, iPass, Juniper Networks, McAfee, PGP Corporation, Qualys, RSA Security, Secure Computing Corporation, Symantec and TechGuard Security.

See also