No one is claiming responsibility for VoIP [voice over Internet protocol] security. And that's a real problem.
A panel of experts at yesterday's Georgia Tech Information Security Center VoIP Security Summit said everyone from the end user to the ISP to protocol designers must have a stake in keeping the hottest technology from falling victim to thieves, hackers and fraudsters.
"The problem is that nobody is responsible and yet everyone is responsible," said Steve Chaddick, senior vice president and chief strategy officer of "network pain point specialist" Ciena Corp. of Linthicum, Md. "It's going to make a real mess."
That boils down to every man -- or company -- looking out for himself.
"Companies will have to protect themselves as they do today," said Chris Rouland, CTO of Atlanta-based Internet Security Systems. "And instead of having two guys from Kazakhstan call about holding your Web site hostage [referring to a problem faced by businessman and former New York Mayor Michael Bloomberg a few years ago], they'll be holding your communications hostage."
But end users shouldn't be the only line of defense, and protocols and service agreements don't spell out security responsibility either.
"End users cannot be expected to 'roll their own' solutions, so extraordinary levels of collaboration between the industry stakeholders is going to be required," Richard DeMillo, a dean at the Georgia Tech College of Computing and the panel's moderator, said in an e-mail interview prior to the summit. "This is a different game than the IETF-style standards efforts because it requires ongoing research and development commitment and a willingness to stick with a growing market."
VoIP makes use of data lines to transmit packets of information like any other network, but raises a host of questions on both security and reliability. Underlying differences in how voice and data networks prioritize delivery may impact VoIP quality. The focus on data networks is on reliability of transmission, not timely packet reassembly. Security concerns include adding a new attack vector to your network, toll charge fraud and identity fraud.
"There hasn't been a discussion we've had [about VoIP] that hasn't involved whether it's a secure and reliable service," said Steve Zimba, director of telecommunications provider BellSouth's Storage and Business Continuity Services. "We have to address these concerns [worms, viruses and other threats] before we see widespread adoption."
"Some of these issues will play out in the public policy arena," Zimba said.
The impacts of security and reliability issues are tangible. "A three-day outage for all communications can bring an enterprise to its knees," said Adam Drobot, vice president of the applied research business unit at Piscataway, N.J.-based Telcordia.
"VoIP security is a little better than e-mail security, but look at the problems we have with e-mail," ISS's Rouland said. "Imagine having to delete 100 spam voicemails a day."