Development
ITU-T, Paul Jones
Ernst & Young, Vincent de La Bachelerie
TIA, Danielle Coffey
WITSA, Dr. Jim Poisant
ETSI, Charles Brookson
Sections
Development
Carrier Services
New Service Delivery
WiMAX Update
Africa & The Middle East
 
 
 
Home | Development | ETSI, Charles Brookson
 
Charles BrooksonProduct Proofing Guidance

Charles Brookson, ETSI OCG-Security Chairman talks to Intercomms about the standards body's follow-on work to the 'ICT Product Proofing Against Crime' White Paper, published earlier this year

Charles Brookson works in the Department of Business, Enterprise and Regulatory Reform and is a Professional Electronic Engineer. He previously was Head of Security for one2one (now T-Mobile UK), and worked within British Telecom for twenty years before. He has worked in many security areas over the last 30 years.

He has been Chairman on the GSM Association Security Group. He has been working the GSM and 3GPP security standards, first chairing the Algorithm Expert Group way back in 1986. He is Chairman of the NISSG, a group that was set up to co-ordinate security standards amongst the three European Security Standards Organisations and other bodies outside Europe. He is also Chairman of ETSI OCG Security, which is responsible for security within ETSI He is also on the Permanent Stakeholders group of ENISA, The European Network and Information Security Agency.

Q: Are you responding to particular threats or is it a more general concern about security?
A: We think that there is an opportunity to further develop products and services to make them less attractive to criminals and fraudsters. We have already had good success with activities such as securing mobile phones - if such an incident happens to you in the UK,your phone is barred immediately. This has now been extended to a number of other countries. Of course, you need the whole background of international cooperation which exists to make sure it can't be easily changed.

For wireless terminals in general, or indeed any type of telecommunications device, which is what ETSI deals with, there are a number of opportunities for security improvements. Our work is actually in response to the European Commission's Mandate 355 on Justice and Home Affairs on proofing products against crime.

It is impossible to bolt security on as an afterthought and the fundamental thinking behind all this work it is that by far the best way of designing security is within a set of standards within a standards group like ETSI.

Q: What's next?
A: We have put together the White Paper and by the end of the year we will come up with guidance for wireless terminals. That is being done within a Specialised Task Force (STF) within ETSI funded as a private ETSI enterprise together with other interested parties such as operators.

Q: Is this a non-standard ETSI approach?
A: It is one of many approaches ETSI can take. We will put together an STF which will then produce a Special Technical Report which will comprise of advice and guidance to those people sitting in our standards groups as the sort of thing they should be considering. Hopefully, that should produce standards which will lead to products that have at a least some basic fundamentals built into them.

Q: Is their any anecdotal evidence that operators like this approach?
A: The fact that we are getting funding from manufacturers shows that we have their support. It is clearly in their interests to do so. Up until now, in the case of mobile phones alone, there has been a great deal of industry money put into activities to prevent mobile phones from being stolen. The GSM Association has put money into the CEIR, an extremely large Central Equipment Identity Register that links everyone together. All the operators have put Equipment Identity Registers (EIRs) within their network to find out the Identities or serial number phones (IMEI or International Mobile Equipment Identifier) in order to make a call, and all the manufacturers have spent a lot of time strengthening the security across the board, so nowadays when you buy a phone, it is just about impossible to change its identity.

Q: You've set you self a very broad target - security across all ICT. How are you climbing the mountain?
A: That is why we have started with one particular topic - wireless terminals - because we think that offers us the most immediate opportunities, but it's just the beginning. The next phase might be home networking equipment or something similar to help the consumer.

Q: Why wireless? Was it simply a case of it being 'low hanging fruit' or were other factors involved?
A: You can only influence those activities you are involved in. ETSI is involved in a number of activities with Wireless, so it was a natural fit.

Wireless terminals cover a wide range of activities. People think of GSM and 3G but it doesn't stop there. You could include WiMax, base stations in the home, smart phones and all sorts of other activities. Wii and Microsoft Zooms each have WiFi connections in some sense. They do become wireless terminals, one is moving away from Mobile phone to perhaps small computers with many different ways of keeping a connection.

Q: You are initially concentrating on product proofing for consumers but what about the business market?
A: The business market is subdivided. SMEs comprise single individuals or small groups though they have the same security problems as consumers. Large business users already have staff undertaking detailed security and backup so hopefully they would specify what they want in the first place. There are, however, different things that could be done for them, not least in ensuring that the security functionality is installed throughout from the start, rather than just hoping it arrives when they buy it.

Q: There are a number of barriers to making ICT-wide product proofing work, what are you doing to dismantle them?
A: The issues around security are usability from the point of view of the end user. You want things to be as invisible as possible. A good example of why this is important is when using a PC you are sent lots of warning messages, most of which you don't even know the answer to, and to which you have to click on "YES" or "NO". That's a good example of security that the users might find confusing. An interesting example of invisible security of which the user is not aware, is when you are using your mobile phone and you are not aware of the passing of encryption, and if you roam authentication keys too, between operators in such a way that operators can't compromise one another but you can still prove who you are. Another is the balance that has to be struck between intrusion into personnel privacy and actually identifying people in case they are involved in criminal activities. In the end it comes down to whether you trust authorities to act within the law.

Q: The final standards are some way off. How are you ensuring that industry is prepared for the final solution?
A: This is a medium to long tem project - standards typically occur within three years of them being written for a variety of reasons. We will produce a guidance document as to the tools and techniques people should use when in the standards setting bodies themselves. I would hope that manufacturers and operators who are participating are also the people creating and discussing them. All we want to do is make sure that security and right-thinking about security - like going through threat analysis and finding out what they can do to protect wireless terminals - is properly set out in front of them.

Q: To what extent is this activity one of integrating pre-existing security standards and putting them in an overarching network that will cover the whole ICT community?
A: What we are doing is offering ideas and guidance to people as to what they are putting into devices. If you are coming at this issue for the first time it is not altogether obvious how to proceed. People will be able to use those product proofing tools and techniques within the standards they are writing. That is the idea of writing a paper on guidance to people attending standards meeting for wireless terminals. If you take Next Generation Networks, ETSI TISPAN has a security group there working on all sorts of security related standards. We have a Lawful Interception group within ETSI TC LI which specifies how information should be provided to anybody who is lawfully intercepting your network. The idea of that is to give manufacturers and operators a standard way of doing things, no matter what piece of equipment they buy.

Q: I know it's a well trammelled issue but how is convergence affecting what you do?
A: The only reason that people haven't been protecting wireless devices is because there hasn't been a threat. At some point there will be a threat and already some of the mobile Operating System manufacturers take that very seriously. At sometime in the future, there's no reason why malware pushing you to premium content pages or subverting your privacy should not start to affect what you do and we are looking at that too. I'm frankly surprised that it hasn't been done already.

Security is best built in from the start and we've been striving to put security into the system for years. We have all tried to put in security subsequently, but it's never worked properly. I hope the way we are doing this now will prove successful and will protect both consumers and our own networks.

For more information visit: ETSI website at www.etsi.com
 
Upcoming Events
 
Contributors
 
Valid XHTML 1.0 Strict