The internet and mobile connectivity have become ever-more pervasive and embedded in daily life, so there is a corresponding need to ensure people can continue to use these increasingly essential services safely and securely. The mobile industry has worked to educate consumers while incorporating new features and enhancing existing security capabilities such as encryption, integrity checking and user identification validation into mobile services, minimising the potential for fraud, identity theft and other possible threats.
Governments and policymakers have put in place measures to prevent cyberattacks, which are not only harmful and criminal, but undermine trust in digital services. National and regional strategies have been adopted in many countries to strengthen resilience, build capacity and fight cybercrime.
‘Cybersecurity’ is not often clearly defined1 and can cover a number of areas. Generally, it refers to the protection, by any means, of network-related systems and devices and the software and data they contain. As such, cybersecurity typically comprises the protection of technical infrastructure, procedures and workflows, physical assets, national security as well as the confidentiality, integrity and availability (CIA triad) of information.
The mobile industry has a long history of providing secure products and services to its customers in the following ways:2
Protecting network infrastructure and devices. Operators are constantly improving standards, deploying better versions of technology, identifying risks and reducing vulnerabilities. They test networks for weaknesses and build their capacity to detect and deter malicious attacks on current-generation and future networks. The GSMA and its members support the principles of ‘security-by-design’ to be applied across the value chain.
Protecting public safety. Mobile networks are considered to constitute critical national infrastructure in many jurisdictions and they play a key role in protecting the public, for example by enabling people to call emergency services. Operators have a legal obligation to assist law enforcement agencies, which they do while being supportive of human rights concerns.
Protecting consumers from fraud. Fraudulent attacks take many forms, such as identity theft, financial fraud, phishing, SMiShing or vishing, where victims are tricked to reveal sensitive personal information and service access credentials. Operators implement solutions to prevent the use of networks to commit fraud and the use of devices to harm consumers.
Protecting consumer privacy. Information security implies that information, including personal data, is not accessible or disclosed to unauthorised individuals, entities or processes, and that it is maintained, complete and available, throughout its life. The GSMA has done extensive work on data protection and data privacy.
Given that risks are dynamic and not confined to national borders, sustained, international multi-stakeholder cooperation is key in all areas of security to manage risks. Furthermore, robust security measures must be adopted by the entire digital value chain. Looking ahead, mobile operators and the GSMA will remain engaged in a number of activities, including:
- Continuing to invest in the security of their own networks, devices and services and building the capacity to detect and deter malicious attacks, improving preparedness and incidence response.
- Contributing to the development of globally recognised, industry-led, voluntary consensus security standards, assurance programmes and conformity assessment schemes.
- Participating in capacity building and in public-private partnerships to share best practices with other stakeholders.
1. A useful overview of definitions can be found in ENISA’s report: Definition of Cybersecurity – Gaps and overlaps in standardisation.
2. GSMA Report: Safety, Privacy and Security Across the Mobile Ecosystem for All (2013).