Security Regulations: How to Innovate in a Global Environment

By: Jesse Cryderman

Regulation and security have been closely connected since the beginning of modern civilization. It could even be argued that without proscription there would be no security.

The very first telecommunications standards, the rules that governed the transmission of telegraphs around the globe, were established in 1865 along with the International Telegraph Union as an international treaty, and willfully breaking those standards was considered a potential act of war. Today the ITU is known as the International Telecommunication Union, and the development of new technology over the past 148 years has spawned three working groups, or “sectors”: Radiocommunication (ITU-R), Telecommunication Standardization (ITU-T) and Telecommunication Development (ITU-D). Together, they create the framework for modern-day international communications security.

That’s not the end of the story, of course. (If it were, you would have just finished a very short article.) Landline voice regulations and standards evolved over many decades and were ratified by member nations with relatively little teeth gnashing—the ITU became a specialized agency of the United Nations in 1949—but beginning in the late ’90s the earth was irreversibly shaken by the introduction of the global internet and the revolution of pervasive wireless connectivity, giving rise to a subsequent tsunami of security threats and challenges. They came about so quickly that no regulations, whether local, national or international, could hope to keep pace, and now communications service providers (CSPs), businesses, consumers and even entire countries are all swimming in murky water.

The internet created billions of new security vulnerabilities. Wireless connectivity added billions more. Twenty years ago a US bank was essentially untouchable when it came to foreign threats, barring an on-premise attack, but today anyone with an internet connection (terrestrial or mobile) and a laptop can foreseeably leech funds from a financial institution. In 2011 Norton estimated that the global impact of cybercrime is roughly $114 billion a year, affecting more than a million victims every single day.

The sheer complexity of the situation makes regulation exceedingly difficult. Is an internet service provider (ISP) in Romania liable for damages sustained by a French corporation when a hacker in China uses the ISP’s servers as part of a complex botnet hacking scheme? If so, who prosecutes whom, which country has the jurisdiction and which one enforces the ruling?

Thinks quickly become complicated.

These challenges have only been exacerbated by ex-NSA contractor Edward Snowden’s revelations about government surveillance programs. The documents he released to the UK newspaper The Guardian last summer reveal a disturbing pattern of unauthorized communications surveillance and data collection by both the US and UK. As Pipeline was going to press, allegations that the US government secretly tapped the cell phones of numerous foreign heads of state crossed the wire, a development that threatens not only the US’s relationships with other countries but also the smooth development of international cybersecurity regulations.

CSPs must walk a tightrope that traverses the oft-opposing constraints of security, privacy, freedom, and profitability. By examining the role that the global regulatory framework plays in telecommunications and the digital-services market, Pipeline will illustrate how CSPs can best position themselves to accommodate evolving security regulations in a manner that fulfills customer-privacy expectations while facilitating the consistent growth of revenue.