White Paper: Guiding principles for security in a Networked Society

The technological evolution that makes the Networked Society possible brings positive

change in many dimensions, but also exposes new threats.

To meet this challenge, security must be an ongoing and holistic process that

guarantees connectivity, requires minimum user effort and protects communication,

as well as addressing access and right to privacy concerns.

Security efforts should center on three principles: a multi-stakeholder approach,

integrated security and viewing security as a continuous process.

ericsson White paperUen 307 23-3230 | February 2014

Guiding principles for security in a networked society

GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • TRUST IN THE NETWORK 2

Trust in the NetworkWe are heading towards a future in which virtually everything people do will involve communication

over a network. This transformation is well underway, with the number of mobile subscriptions

reaching 6.7 billion, and mobile broadband subscriptions topping 2.1 billion, in 2013 [1]. By 2019,

there will be a projected 9.3 billion mobile subscriptions – more than the number of people on

the planet – including 5.6 billion smartphone subscriptions alone [2]. To this can be added vast

numbers of fixed line subscriptions and free hot spot accesses and more.

But this is only the beginning of a broader connected transformation, one that is already

revolutionizing industries such as medicine, energy, education, transportation and financial

transactions, just to name a few. Enabled by broadband everywhere, declining costs of connectivity

and increasing openness, this transformation will unlock massive value for people, business and

society, as information and communications networks – including the software and applications

critical to running them – become an increasingly critical infrastructure.

However, there is a fundamental quality that must be continuously earned, and that is trust.

Users, companies, governments and organizations of all kinds must be able to trust that networks

are robust and reliable and that the

information carried over them is secure. This

expectation is not new, but there will soon

be exponentially greater complexity within

– and dependence on – the communications

infrastructure, which will raise the stakes for

keeping the network and associated data

safe.

Security can be defined as the activities

necessary to predict, detect and counter

threats to the availability, integrity and

confidentiality of information and key assets.

These activities ensure the appropriate level

of security in products and services, and

they encompass deployment, security

functionality and development processes,

as well as the proper implementation of

security solutions and safeguarding of

network operations.

With these ideas in mind, security efforts

should be guided by these perspectives:

> services should always be available

> security should require minimum effort from users

> all communications should be protected

> it should not be possible to manipulate the information in the networks

> all access to information and data should be authorized

> the right to privacy should be protected.

To guarantee the adoption of these perspectives, stakeholders should focus on a few key

building blocks: a multi-stakeholder approach, a focus on integrated security, and a view of

security as a continuous process. Putting these into action will require openness and collaboration

within and across industries, national and international multilateral governing bodies, as well as

civil society organizations. This is instrumental for creating the standards and global best practices

that can best ensure secure networks, products, operations and product development practices,

assuring that security doesn’t become a barrier to reaching the potential of the Networked Society.

Figure 1: The integration of connectivity into our way of life.

GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • TRANSFORMATIVE TECHNOLOGY, EMERGING THREATS 3

Transformative technology, emerging threats Powerful and robust communications networks are a foundation of the global economy, and they

are already sparking dramatic transformations in industries and society by enabling new ways

of innovating, collaborating and socializing. The scale of this economic and technological shift

is on par with the industrial revolution and its major innovations such as the steam engine,

electricity and steel manufacturing. To put the current situation in perspective, data traffic grew

by 70 percent between 2012 and 2013 alone, according to the Ericsson Mobility Report [1], with

mobile data traffic expected to grow by a factor of 10 by 2019.

As transformative technology and tools emerge, however, attacks on networks are becoming

ever more frequent, more sophisticated and are being felt across a broader spectrum of platforms,

networks, devices and services. The primary focus areas within security today include:

> devices, which have become more open

and more capable, as well as the new

possible uses of those devices, including

bring your own device (BYOD), and

machine-to-machine (M2M), which

typically features less capable devices.

> new communication patterns, such as

those involving M2M and social media.

The long lifetime of some devices – for

example, sensors – are an additional

challenge with their security features that

must be kept updated.

> a multitude of new third-party software

and application ecosystems.

> a wide variety of heterogeneous networks,

including Wi-Fi, local area networks,

software-defined networking and mobile

networks with high availability.

> cloud and big data, which raise many

governance, security and privacy

questions, for example, about where data

is stored and who owns and can access

data.

At the same time, the threat landscape is fragmented, with attacks targeting both users and

organizations coming from a wide range of actors, including hacktivists, organized crime and

groups practicing industrial espionage. Cyber-attacks from these sources target all kinds of

devices, services and networks, and come in a variety of forms, including information theft, fraud,

identity theft, denial of service and malware. But non-malicious users are also a danger, through

lack of awareness in the choice and handling of passwords and in spreading viruses and other

malware.

These security challenges have been well publicized, and there is a growing public awareness

of both online hazards and the need to update legal and social codes of conduct in this area. In

a recent Ericsson ConsumerLab study [3], 70 percent of respondents considered security issues

Figure 2: Mobile data traffic by segment, 2013 and 2019.

GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • TRANSFORMATIVE TECHNOLOGY, EMERGING THREATS 4

a concern while online; almost 60 percent said they worried about online surveillance; and 56 percent

said privacy issues were a concern. When it came to first-hand experiences, 68 percent had dealt

with computer viruses themselves, and 31 percent stated that someone close to them has been

exposed to internet fraud.

The ConsumerLab researchers concluded that user perceptions of risk are built on a blend of

first-hand experiences and hearsay. This makes people aware of risk but leaves them unsure about

when, where and how to assign and assess those risks, as well as what actions to take if a problem

arises.

The effect of this uncertainty should not

be underestimated, and privacy, security

and safety concerns are already having a

direct effect on how people use

communication infrastructure. Through

transparency and engagement, it is crucial

to support consumers to move from a

simple awareness of risk to a better

understanding of how ICT works, in order to

increase users’ sense of safety and trust.

Yet, at the same time, security solutions

cannot be overly complicated and must

require only minimum effort from users –

whether they are individuals, enterprises or

network operators – while still providing the

appropriate level of security for any particular

context.

EVOLVING NETWORKS

The Networked Society is by nature heterogeneous, with multiple players – including operators,

vendors, developers, service providers and enterprises in a wide range of industries – involved in the

generation, communication, presentation and application of data. This means that networks are both

growing in size and complexity while also converging towards a common set of technologies.

Information that was previously carried on different types of telecommunications or access networks

is now increasingly combined onto interconnected IP-based networks. This allows the network to

serve as a common utility, with service providers able to increase geographical coverage, support a

growing subscriber base, and offer new services that cross business and borders. But at the same

time, if security is not properly addressed, this shift also makes networks more vulnerable. For

example, money transactions increasingly flow over the network, which provides new financial

incentives for cyber-attacks.

With open operating systems and development environments, smartphones and other smart

devices also allow software developers to publish – and for users to freely download and install –

apps. Combined with the increasing processing power and massive number of devices in use, this

creates an ecosystem in which attackers can exploit vulnerabilities to deploy malware, among other

cyber-attacks. For example, if devices are infected with malware that includes them in a bot network,

the devices could be used to mount attacks against users, services, enterprises and the radio network.

Figure 3: Consumers’ view on privacy and security online.

GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • PERSPECTIVES ON SECURITY 5

Perspectives on security Consumers and enterprises must be able to trust that devices, services and networks are able

to protect their privacy and keep them safe from cyber-attack. This places tremendous pressure

on networks, service providers and device manufacturers when delivering relevant, personalized

services and applications. Since no single player alone can ensure the necessary level of security,

it is essential that every stakeholder collaborates and works with these perspectives in mind:

1. Services should always be available: Networks must be resilient and built in a way that allows

for fast recovery from attacks.

2. Security should require minimum effort from users: Security solutions must be usable, scalable,

manageable and non-intrusive.

3. All communications should be protected: Security needs to be defined, implemented, managed

and maintained not only as technical solutions but in compliance checks, secure operational

processes and procedures, and with regular auditing and improvement.

4. It should not be possible to manipulate the information in the networks: The intended receiver

of any data or communication should be able to access that information in its original form,

or be able to detect if it has been manipulated.

5. All access to information and data should be authorized: There must be proper security

mechanisms for authentication, authorization and access control.

6. The right to privacy should be protected: Users must feel their privacy is respected when

using networked services, including secure storage and secure transmission of data. With

this in mind, clarity, transparency and permissibility must be top priorities when handling

private information.

Achieving these goals will require stakeholders to work with broad and pragmatic principles

that provide users with both a high level of security end-to-end and safe experiences across

borders, ecosystems and products and services from different vendors and service providers.

GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • A MULTI-STAKEHOLDER APPROACH 6

A multi-stakeholder approachSecurity can only be achieved by cooperation among industry stakeholders, policymakers,

regulators and civil society organizations, and then further guaranteed by open and transparent

processes. While it remains important for users to keep passwords secret, security mechanisms

– such as algorithms – that depend on secrecy cannot be completely trusted. Security solutions

build stronger trust if they can be openly discussed among experts, and withstand professional

scrutiny and peer review.

Governments, agencies and regulators around the world have recognized the economic and

social importance of this area, and the subject is high on political agendas, with the US [4], the

European Union [5] and India [6], among others, releasing either new or updated cybersecurity

strategies in the past year.

There is a real risk that uncoordinated global efforts in this area will lead to a diverging set of

security requirements, which would jeopardize not only interoperability, but make security that

much more complex to guarantee. Global standards and best practices are therefore fundamental

to the efficient handling of threats – especially those that originate across national borders – as

well as to building economies of scale, avoiding fragmentation and ensuring interoperability.

Therefore, it is essential that industry stakeholders – including operators, vendors, regulators,

policymakers and IT-focused companies, as well as players from other industries – work together

to set common and open security standards that specify what needs to be secure and protected,

rather than mandate the use of a particular technology.

Industry and governments have, over the years, developed standards, best practices and

security technologies that provide security on the internet and communication networks (for

example, IPsec, Secure Socket Layer / Hypertext Transfer Protocol

Secure and the 3GPP standards).

However, existing 3GPP and internet standards have not

completely addressed how to securely implement protocols, test

for vulnerabilities and manage security-related issues throughout

a product life cycle. In response to this, 3GPP has designed a new

set of standards, called Security Assurance Methodology (SECAM),

which establishes security requirements not just for products but

also for product development processes.

According to proposed SECAM rules, accreditors will verify a

3GPP manufacturer’s overall capability to produce products that

meet a given set of security requirements, which will eliminate the

need for explicit certification on a per product basis, while also

encouraging a solution based view [7].

Beyond standards, collaboration among relevant stakeholders

can encompass a number of practical areas, including information

exchange, threat analysis, performance analysis, sharing of best

practices and encouraging cutting-edge research. Cooperation is also important for other

emerging connected infrastructures – such as energy, transport and health care.

Stakeholders must also be aware of specific human rights challenges that arise, such as threats

to freedom of expression and the right to privacy, as well as other negative impacts that can

come from the misuse of connectivity and technology. Particularly, the use of ICT to restrict or

violate human rights – even if not an intended use of a given technology – poses a significant

ethical challenge for policymakers and actors across the entire ecosystem. It’s crucial that these

concerns are highlighted and addressed in a comprehensive way, and that stakeholders work

actively and collaboratively to minimize the risk of violations [8].

STANDARD BODIES AND OTHER ORGANIZATIONS

• Third Generation Partnership Project (3GPP)

• Alliance for Telecommunications Industry Solutions (ATIS)

• Cloud Security Alliance (CSA)

• European Telecommunications Standards Institute (ETSI)

• GlobalPlatform

• GSM Association GSMA

• Internet Engineering Task Force (IETF)

• International Organization for Standardization (ISO)

• International Telecommunication Union (ITU)

• Open Mobile Alliance (OMA)

• OpenID Foundation

• Openstack

• Trusted Computing Group (TCG)

GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • A HOLISTIC VIEW 7

A holistic viewIt is crucial to work holistically with security, from developing products and creating network

architecture to designing operational processes and managing operations. When designing

solutions – which encompass management, products and services, and the situations in which

products and services work together – security must be part of the basic architecture, not patched

on as an afterthought. Only with secure development practices, secure products and secure

processes can networks be operated in a truly secure manner.

SECURITY FROM THE START

To ensure the appropriate security level, it is important to set ambition levels as early as possible

and then follow through on those plans with continuous focus on product or service implementation.

An effective model to accomplish this should include the following concepts:

> developing the right security functions for a product or service

> verifying that the security functionality works as expected

> documenting functionality to enable secure operations

> providing professional services to ensure

that security requirements are met.

The most important R&D processes to

assure system security include: risk

assessment, security function specification

and implementation, hardening and

vulnerability analysis.

Risk assessment investigates how likely it

is that a given product could be hacked or

attacked and what the impact would be,

examining issues such as which interfaces

are available and how the product is

accessed. The assessment should address individual products and groups of products with

similar functionality, while also taking into account possible external considerations.

It is important to select the appropriate security functionality and, through security assurance,

ensure that the end product has proper and correctly implemented security properties. This

means that security risks need to be first evaluated thoroughly. Appropriate countermeasures

can then be defined, either by introducing new security tools or specifying requirements on the

surrounding infrastructure or usage of the service or network node.

This process reaches far into deployment by, for example, hardening of platforms and other

operational instructions. Hardening guidelines provide instructions for customers and users to

configure the product to a particular security level, both when launching but also over time. All

of this ensures “end to end” security, which could also be described as “from design to operations.”

The vulnerability analysis then validates the quality of the product design by identifying,

evaluating and ranking any potential weaknesses through qualitative penetration and fuzz testing

– meaning real attacks on real network elements.

SECURITY BY DESIGN

Creating a secure system involves more than just considering the individual products that make

up the system. The network design itself contains many complex interdependencies that need

to be analyzed and then secured, and it is both more difficult and more expensive to address

security issues after a design is completed or already in production.

At the core of the concept of security by design are international standards and best practices,

as discussed above. Of particular importance in the design phase is the ISO 27000 family, which

provides processes and best practices for information security, and the ISO 15 408 Common

Criteria, which illustrates well-established methods for security assurance and mutual recognition,

with the proposed SECAM specifications from 3GPP a crucial step for increasing assurance in

future generations of more open telecom products.

Figure 4: Integrated process for product and service development.

GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • SECURITY AS A CONTINUOUS PROCESS 8

Security as a continuous processThe focus on security cannot end when products are shipped, because security is neither a

product in itself nor something that is addressed only once. It must evolve within an ever-changing

environment, and R&D must interact with real-world usage in order to detect and identify new

threats, either via customer interaction or via collaborations between security incident response

teams.

Security must therefore be incorporated into the entire development process. Some important

specifics to focus on – besides risk assessment and vulnerability analysis – include secure coding

review and design architecture security review and code traceability.

Security research is also imperative to developing innovative next generation defense strategies

and architectures, which will allow

stakeholders to stay ahead of the technology

and methods behind malware and cyber-

attacks.

This ongoing focus is necessary both in

terms of a stakeholder’s internal processes,

as well as for how they cooperate, whether

regionally, within the organization itself, or

across industries. It is crucial to incorporate

security-related input and feedback from all

possible sources, as only this level of

cooperation can maintain and improve the

resilience of the global communications

infrastructure.

Looking at internal processes, this means that maintaining security is achieved by a well-

defined governance structure, which ensures that the entire organization stays focused on both

emerging threats and solutions. This applies to solution development processes and to sales

processes, which should ensure that product features are used in a manner compliant with all

relevant laws and regulations.

Good governance encourages cooperation among stakeholders and the development of

secure operational processes on a global scale. It also helps to get a regular awareness of

potential and actual security threats, as security concerns and practices vary widely by country

and a threat that affects one region today could impact another tomorrow. This type of collective

knowledge can help operators, vendors and others deliver more secure solutions and let them

feed new lessons directly into their own development process.

Figure 5: Continuously improving security.

GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • CONCLUSION 9

ConclusionSecurity is a continuous process that will influence every sector of the digital ecosystem. It is

also an area that will become even more critical in the future, as technology and connectivity

reach into our lives for purposes we can’t even imagine. This requires a unified multi-stakeholder

approach that encompasses a range of threats and impacts, including network security and

economic considerations.

The breadth of this challenge will force vendors, operators, developers, governments and users

to view security holistically. Solution design processes must incorporate security from the start

and consider it at the device, platform, application, and system level, and companies and

organizations must put internal governance structures in place to foster an effective security

culture. All stakeholders must then focus on security as a continuous process. It will take this

level of collective vigilance to ensure that security doesn’t become a barrier to reaching the

potential of the Networked Society for people, business and society at large.

GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • GLOSSARY 10

GLOSSARYATIS Alliance for Telecommunications Industry Solutions

BYOD bring your own device

CSA Cloud Security Alliance

ETSI European Telecommunications Standards Institute

IETF Internet Engineering Task Force

IPsec IP Security

ISO International Organization for Standardization

M2M machine-to-machine

OMA Open Mobile Alliance

SECAM Security Assurance Methodology

TCG Trusted Computing Group

References1. Ericsson, February 2014, Ericsson Mobility Report interim update.

Available at: www.ericsson.com/mobility-report

2. Ericsson, November 2013, Ericsson Mobility Report.

Available at: http://www.ericsson.com/res/docs/2013/ericsson-mobility-report-november-2013.pdf

3. Ericsson ConsumerLab, February 2014, Privacy, security and safety online.

Available at: http://www.ericsson.com/res/docs/2014/privacy-security-safety-online.pdf

4. United States of America, Executive Order, The White House, Office of the Press Secretary, February 2013, Improving

Critical Infrastructure Cybersecurity.

5. European Commission, High Representative of the European Union for Foreign Affairs and Security Policy, February

2013, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace.

6. Republic of India, Ministry of Communication and Information Technology, Department of Electronics and Information

Technology, July 2013.

7. Ericsson Review, January 2014, Setting the standard: methodology counters security threats. Available at:

http://www.ericsson.com/res/thecompany/docs/publications/ericsson_review/2014/er-security-assurance-3gpp.pdf

8. Ericsson, May 2013, ICT and Human Rights – An ecosystem approach, Available at:

http://www.ericsson.com/res/thecompany/docs/corporate-responsibility/2012/human_rights0521_final_web.pdf

© 2014 Ericsson AB – All rights reserved

GUIDING PRINCIPLES FOR SECURITY IN A NETWORKED SOCIETY • REFERENCES 11