Mobile phone networks are prime targets for a cyber attack, and governments large and small are in a particularly powerful position to execute such an attack on another country. Given the September 5th NATO Wales summit resolution declaring that cyber attacks can now trigger collective defense, how will the “cyber umbrella” extend to the mobile and telecommunications domain? This is not a hypothetical scenario, but already has significant precedent. State actors have conducted cyber-espionage (most recently in Hong Kong) and cyber-sabotage of critical infrastructure. We’ve never seen a significant sabotage operation against mobile phones themselves, but the phone network has long been an infrastructure target in traditional wars going back to the age of the telegraph. Just this spring Russia conducted denial of service attacks targeting the Ukraine government’s phone system. So what are the technical challenges associated with the NATO Wales summit resolution?

Some Background

Mobile phone networks are culturally distinct and radically different from the Internet. First, there is an asymmetrical relationship between phone and Internet communication because there are no web servers on the phone network. While phones can reach the Internet, computers on the Internet cannot directly touch your phone. This provides one of the many additional layers of complexity when dealing with malicious cyber activity in the mobile domain.

Second, there also is asymmetry of the markets. The Internet marketplace is often referred to as the “Wild West,” while the mobile network marketplace is extraordinarily oligopolistic. Thousands of Internet service providers exist and anyone can build their own network with some Ethernet cable and a router. The Internet is a wild and chaotic place: e-commerce sites are as easy to connect to as social networks, travel-booking sites, and even your bank. Nobody trusts anybody because any stranger can connect to any web site from anywhere in the world. This is why online accounts have passwords and corporations employ VPNs for additional security. Conversely, only a few companies build Internet telecommunications equipment, which communicates over a collection of esoteric protocols. There are also only a few hundred national and regional phone networks, which are owned and managed by about fifty multinational companies. Phone networks only connect to other phone networks, so only other providers have access. The networks connect to each other through tightly controlled connections managed internally or through trusted third parties.

This oligopoly can not only result in higher prices, but has also produced a complex web of protocols and technologies that further differentiate mobile networks from the Internet. To oversimplify, the Internet uses HTTP over TCP/IP, while Telecommunications networks communicate via SS7 over SCTP/IP. The reality is even far more complicated than this – SIP should eventually replace SS7, but that’s going to be a very long process and new protocols are drafted every year. The situation has been in flux since the 1990s, and that won’t change in the near future.

Finally, because of the proprietary nature of mobile networks, phone network security is an under-researched area because few researchers can get their hands on telecommunications equipment. The stuff is expensive, rare, horribly complicated to use, and its sale and distribution is heavily regulated. So how is this related to cyber-warfare? National governments are closely tied to the phone network infrastructure and providers. They regulate the providers, some of which are state-owned enterprises, and they commonly operate their own massive internal phone networks. Governments themselves are de-facto telecommunications providers, and yield an unwieldy advantage over non-state actors in instigating malicious mobile network behaviour.

Article 5: In Theory and in Reality

In the Wales summit resolution, NATO did not adopt any language that spells out what a cyber attack is, opting instead to say that a decision on when to invoke Article 5 would be made on a “case-by-case basis.”

So let’s see how this would play out in a hypothetical situation. Country X wants to knock country Y offline. X is a de-facto provider, and it has a connection into the private global phone network. From its trusted position in the network, X can exploit a vulnerability in Y’s provider and knock it off-line. X can attribute this to another country by tunnelling through a third party provider.

If the target is hit in the right place, the impact can be enormous. In summer 2012, a failure in the Home Location Register (or HLR - one of hundreds of crucial components in a core network) caused the collapse of the provider Orange in France. For twelve hours, 26 million people had no phone or data service. That same year O2 in the UK experienced a similar outage due to an HLR failure.

X could target the HLR in Y’s network or one of several other choke points. Components that affect large numbers of subscribers include the HLR, MSC, HSS, SMSC, MSS, and GGSN. After the initial attack, X would simply wait until the network service was restored, and knock it back down. Lather, rinse, and repeat.

If NATO is serious about Article 5, it needs to be aware that an attack on a telecommunications network could be the catalyst for invoking it. This isn’t simply some hypothetical, futuristic scenario, but has serious precedent. The core mobile network infrastructure is particularly vulnerable, and the perpetrator of such an attack will likely have the access, skills, and resources of a nation state. NATO member states need to prepare now for how they might respond to a mobile black-out – a case by case strategy simply won’t suffice when an entire population is disconnected from their smart phones.