VoIP could provoke 'electronic Pearl Harbor'

Leaping into cheap Internet telephony before looking at the security risks could create a lot of risk for companies.

Andrew Donoghue Special to CNET News.com

March 17, 2005 11:51 a.m. PT

3 min read

The head of information security for the United Kingdom's Royal Mail has warned that Internet telephone applications will expose companies to hackers and malicious code if not implemented correctly.

Speaking at the annual Business Continuity Expo in London's Docklands, David Lacey, director of information security for the Royal Mail Group, said that he expects a widespread IT security incident to occur in the next two years, possibly as a result of companies hastily moving to voice over Internet Protocol technology without carrying out the necessary due diligence.

"An electronic Pearl Harbor-type event will happen in 2006 or 2007. I do stand by that," he said. "New technologies such as VoIP risk driving a horse and cart through the security in our networks."

Lacey, one of the founders of the Jericho Forum security user group, said that VoIP represented a particular threat to enterprise network security because companies may rush to take advantage of cheap telephony services without thinking about the security aspects. "If VoIP is implemented in a very fast way, that will be a pretty major threat," he said.

In a survey released last month from the Computing Technology Industry Association, VoIP was named as the application capable of offering the greatest productivity gains by 34 percent of respondents.

Voice systems do not have the same security heritage as data networks, which could make VoIP a fundamentally insecure part of a company's network infrastructure, added Lacey. By using the same network for all their voice and data traffic, companies also risk "putting all their eggs in one basket," he said.

A recent report from consultancy BearingPoint, "Making the Leap to the Next Generation," claimed that "the global networks of many financial services firms and other enterprises are 'networks of networks' cobbled together through mergers and acquisitions. The result is often inefficiency, high cost, inadequate disaster recovery and an inability to deliver new bandwidth-intensive applications."

Lacey made his comments while leading a debate on the most pressing risks to IT at the BC Expo.

David McCaskill, section manager for Global Security Solutions at pharmaceutical giant Procter & Gamble agreed during the debate with Lacey's prediction of a major IT security incident in the near future. "I think the risk is real. The U.S. East Coast blackout was a wake-up call for people who didn't believe that a disaster involving critical infrastructure could come out of the blue," he said. "Systems are becoming so complex that no human being can fully understand the potential problems."

But Jamie Watters, business continuity manager at financial services company Barclaycard, disagreed during the debate that a major IT catastrophe was looming. He claimed that it was much more likely that a cumulative series of small events would prove to be more serious over time.

"I think lots of little incidents are potentially more damaging," Watters said. "That is what has happened in the past. A series of small things acting together is probably what is going to kill me in the long run, rather than one big incident."

Andrew Donoghue of ZDNet UK reported from London.