Background
The internet and mobile connectivity have become ever more pervasive, making it vital to ensure that people can use increasingly essential services reliably, safely and securely.
Cyberattacks are not only harmful and criminal, but also undermine trust in digital services. The mobile industry is continually working to educate consumers while also incorporating new features and enhancing existing security capabilities to minimise the potential for fraud, identity theft and other possible threats. This includes encryption, integrity checking and user identity validation. Governments and policymakers have put measures in place to prevent cyberattacks, and national and regional strategies have been adopted in many countries to strengthen resilience, build capacity and fight cybercrime.
Cybersecurity covers several areas,15 but generally refers to the protection of network-related systems and devices and the software and data they contain. It typically comprises the protection of technical infrastructure, procedures and workflows, physical assets, national security and the confidentiality, integrity and availability (‘CIA triad’) of information. The mobile industry has a long history of providing secure products and services to customers 16
Protecting network infrastructure and devices
Mobile operators test for vulnerabilities and detect and deter malicious attacks on current generation and future networks. The GSMA and its members support the principles of ‘security by design’ being applied across the value chain. The GSMA itself plays a central role in coordinating activities and leads industry- wide initiatives and programmes, such as the Fraud and Security Group (FASG), the Security Accreditation Scheme (SAS) and the Network Equipment Security Assurance Scheme (NESAS), which together provide a security assurance framework to facilitate security improvements across the mobile industry.
Protecting public safety
Mobile networks are considered critical national infrastructure in many jurisdictions, and the services they support play a key role in protecting the public. The laws and regulations applicable to mobile operators, including telecoms licence conditions, often require them to take on additional responsibilities and assist law enforcement agencies.
Protecting consumers from fraud
Fraudulent attacks take many forms, such as identity theft, financial fraud, phishing, smishing or vishing, where victims are tricked into revealing sensitive personal information and service access credentials. Mobile operators implement and offer solutions to prevent the use of networks to commit fraud and the use of devices to harm consumers.
Protecting consumer privacy
Information security implies that information, including personal data, is not accessible or disclosed to unauthorised individuals, entities or processes, and that it is maintained,complete and available throughout its life. The GSMA has undertaken extensive work on data protection and data privacy.
Debate
In the context of 5G implementation and the expanding web of IoT devices, services and AI, how can policymakers ensure that cybersecurity is the responsibility of everyone in the mobile ecosystem?
What is needed to facilitate a more holistic response to cybersecurity?
Industry position
Cybersecurity is the shared responsibility of industry, government and regulators. Every actor in the digital value chain, across all sectors of the digital economy, needs to ensure the appropriate protection of infrastructure, products and services.
Different types of cyberthreats have the potential to undermine the integrity of networks through unauthorised interception of networks. This can be through hardware and software in the mobile value chain, as well as through the use of social engineering where employees and mobile users are deceived into providing information. The mobile industry has been responding to these threats primarily by building more sophisticated security, training employees and conducting awareness-raising campaigns for customers. A holistic approach is important, with security and privacy embedded in the culture and early stages of product and service development.
While the GSMA provides guidance on a range of mobile security risks and mitigation measures, 17 the mobile industry looks to governments and law enforcement agencies to ensure there are appropriate legal frameworks, resources and processes in place to deter and prosecute criminal behaviour. Cybersecurity is not restricted by borders and requires national and international cooperation, such as those reflected in the Convention on Cybercrime, known as the Budapest Convention, 18and the African Union Convention on Cyber Security and Personal Data Protection, known as the Malabo Convention. 19
Resources:
Mobile Telecommunications Security Landscape 2023, GSMA, February 2023
Safety, Privacy and Security Across the Mobile Ecosystem, GSMA, November 2022
Cybersecurity: A Governance Framework for Mobile Money Providers, GSMA, September 2019
Cybersecurity and Mobile Money: Prioritising Consumer Trust and Awareness, GSMA, July 2021
15 ENISA (2016), Definition of Cybersecurity: Gaps and Overlaps in Standardisation
16 GSMA (2017), Safety, Privacy and Security Across the Mobile Ecosystem: Key Issues and Policy Implications
17 GSMA Mobile Cybersecurity Knowledge Base
18 Council of Europe Convention on Cybercrime
19 African Union Convention on Cyber Security and Personal Data Protection