Mobile network security in natural disasters

Mobile network security in natural disasters faces a challenge most operators have not planned for: attackers who treat the recovery window as a staging opportunity. When the Noto Peninsula earthquake struck Japan in January 2024, Rakuten Mobile’s network teams found themselves managing physical reconstruction and a wave of cyber threats simultaneously.

“Disasters like an earthquake create the perfect conditions for cyberattacks,” Nagendra Bykampadi, Vice President for Security Research and Standards at Rakuten Mobile, told attendees at the MWC26 Barcelona Security Summit. His observation, drawn from direct experience, is a challenge the industry has not yet absorbed. Mobile network security in natural disasters poses a compound risk, yet Rakuten’s Noto experience can help identify what operators need to prepare.

How natural disasters compound mobile network security risks

On a normal day, a mobile network runs under layered defences: authentication systems, monitoring tools, patching schedules, and access controls. A major natural disaster removes most of that scaffolding at once.

Power outages disable backup systems. Damaged fibre forces traffic onto improvised routes. Temporary base stations go up without full hardening. Engineers managing twenty simultaneous tasks start bypassing authentication steps to get equipment online faster. Monitoring gaps open and remain open for days. Underneath all of this, the network’s defenders are exhausted and fielding calls from regulators who want status updates now.

Bykampadi describes each of these factors as manageable in isolation. Together, they create a different problem. Attackers scanning for vulnerable infrastructure during a disaster are not looking for a sophisticated exploit. They are looking for a network in a degraded security posture. The engineers staffing it cannot respond in real time. Mobile network security in natural disasters fails because the conditions make normal security practice temporarily impossible. Defenders do not fail individually. The framework around them does.

What the Noto earthquake revealed about network security during disasters

Rakuten restored major network areas within two weeks of the earthquake. That speed reflects the advantages of its software-defined, Open RAN architecture. But two weeks of partial operation meant two weeks of reduced security posture. Parts of the network remained unpatched for almost two months after the event. During that window, the cyber threat landscape was changing fast.

Bykampadi identifies two threat categories that emerged at Noto. The first was what he calls “impression zombies”: fake bot accounts that flooded social media during the recovery. These accounts amplified misinformation and directed disaster survivors toward fraudulent fundraising appeals and phishing links. The second was infrastructure-level targeting. Attackers planted malware during the restoration window. They aimed to activate ransomware once the network was fully operational.

“Operators fight the war on two fronts,” Bykampadi said. “On one side you have physical destruction and on the other side attackers probing the weakened defences.” Similar patterns have appeared after other major disasters. Attackers treat recovery periods as attack staging windows, not as delays. These patterns confirm that mobile network security in natural disasters requires planning for the recovery phase. Initial impact alone is not the problem.

Why software-defined architecture changes the disaster resilience calculus

When Rakuten built its network on a software-defined, Open RAN foundation, the drivers were commercial: cost and agility. The ability to source components from multiple vendors, update remotely, and avoid hardware lock-in was a business argument. The Noto earthquake added a different dimension.

A software-defined network can be reconfigured and brought back faster than one built on proprietary hardware. Engineers do not need physical access to every node to restore services. Remote management means recovery can continue even when roads are blocked and teams cannot reach damaged sites.

For mobile network security in natural disasters, that speed matters. The longer a network runs in degraded mode, the wider the window for attackers. Faster restoration shortens that exposure. There is a counterargument worth acknowledging: Open RAN’s disaggregated interfaces introduce new attack surfaces compared with traditional proprietary architectures. Bykampadi did not minimise this. But his broader point stands: architecture designed for faster restoration also gives security teams cleaner control over the recovery process.

Preparing mobile networks for disaster before the disaster strikes

Bykampadi’s most direct instruction was also his most practical: “What saves you during a disaster is what you do before the disaster.” Stronger mobile network security in natural disasters breaks into two preparation streams. The first is technical. Operators need alternate communication channels that stay functional when primary systems fail. They also need clear records of which security controls were relaxed by design. Without those records, teams cannot tell planned deviations from ones made under pressure. Recovery procedures should include cybersecurity steps alongside physical restoration tasks, not treat them as separate tracks.

The second stream is organisational. Bykampadi stressed that no operator can manage a major disaster response alone. After Noto, Japan’s eight telecommunications carriers established a formal cooperation framework, sharing base-station-equipped ships, network facilities, and recovery assets across networks that would otherwise compete. Cross-operator threat sharing during an active disaster can identify attack patterns faster than any single operator’s monitoring team working alone.

Where this leaves mobile network operators

Future mobile networks will carry emergency response traffic, healthcare data, and critical infrastructure signals. Their security posture during a major natural disaster will affect more than subscriber experience. It will affect the societies those networks underpin.

The Noto earthquake was, from a cybersecurity standpoint, a warning with a survivable outcome. Rakuten’s architecture helped. Its engineers’ speed helped. The cooperation framework that Japan’s carriers built afterward may help even more when the next event hits. But the lesson from every case Bykampadi described is consistent: operators who treat cyber resilience as a steady-state problem will find it becomes an acute one at precisely the moment they are least able to handle it.

Mobile network security in natural disasters is not a separate discipline from everyday network security. It is where everyday network security gets tested under the worst conditions, against attackers who planned for that window. For more information on how the industry is coordinating to strengthen cybersecurity, please visit the GSMA Fraud and Security Group.