One of my professional mentors and heroes is a well-read, rock n’ roll-loving policy expert (the word “wonk” seemed disrespectful and that’s the last thing I’d ever want to be) who pointed me toward an interesting report on wireless resiliency published last fall in the U.K. Let’s just say that when Obi-Wan Kenobi of spectrum policy points me in a given direction, I head there immediately. And I’m sharing here because, having now read the “Cyber-Spectrum Resilience Framework” report myself, I, too agree, that it raises some important issues for consideration by virtually every enterprise that relies on wireless service to support its business.
First and foremost, while data security has become an increasingly important issue as the amount of data “out there,” as well as the frequency of publicized data breaches, rises, less focus seems to be given to actual network security. Many enterprises are absolutely focused on maintaining the integrity of stored data, but they may not be sufficiently diligent about the networks used to collect, maintain, and distribute said information -- whether it belongs to the enterprise or its customers.
With this in mind, here is a summary of the 10-point checklist prepared on behalf of the UK Spectrum Policy Forum. I’ve condensed the recommendations into nine because of some overlap, but please consider this a multistep call to action.
- Spectrum Audits -- It’s imperative that enterprises know precisely which pieces of spectrum they’re using and why. While some uses may be obvious, others are not, and in the event of anything from a hiccup to a failure, network administrators and their chains of command should have more than a cursory knowledge of which portions of spectrum they’re using and for what purposes. The report also recommends that enterprises have a single point of contact for all issues related to spectrum use.
- Impact Assessment -- In order to make the best decisions in the event of an outage, savvy network managers should clearly understand what the impact of the loss of spectrum-based operations could have on the enterprise. This impact assessment should include factors such duration of the disruption and the number of applications that could be affected simultaneously.
- Detection/Monitoring/Recording -- How is the enterprise detecting and monitoring network outages? The answer to this question is critical because in the event of a network issue, it’s paramount that those managing the outage know precisely where to look. The more complex the network, the more vulnerabilities exist. While the ultimate goal is, of course, complete restoration, it’s critical to pinpoint the source of the failure so the problem can be quickly -- and, with luck, permanently -- repaired and service restored.
- Response and Recovery Planning -- Only with good planning can enterprise network managers know how their teams will respond to minimize the problems and aggravation associated with outages. With this in mind, creating a response and recovery plan is essential.
- Reporting -- Enterprises certainly face legal obligations regarding reporting in the event of certain types of breaches. But this isn’t about reporting breaches; it’s about network failures and the exposure of vulnerabilities. By working with the enterprise’s legal and risk teams, network managers are in the best place to “manage the messaging” in the event of a problem.
- Practice and Testing -- Regularly scheduled testing of how plans and procedures work is always a good strategy. If network resilience is the goal, then familiarity with the processes will only make problem management a bit less complex should the network fail.
- Updates -- As with any good contingency plan, for network failures or otherwise, it’s always advisable to keep existing plans current. As underlying technology changes and is refined, it’s entirely possible that existing plans to “stop the bleeding” will need revisions on a regular basis. Put this action on a calendar such that the information is reviewed on a systematic basis. Included in this point is assurance that all software and hardware updates are properly in place.
- Qualified Personnel -- It’s imperative that the people within the enterprise responsible for network management have the skills and expertise to do their jobs. I suspect that this is less of an issue than some of the points closer to the top of the list, but it’s worth a quick reference.
- Board Responsibility -- Although they’re not under federal mandate to do so as with financial transactions and data breaches, board members should be aware not only of compliance obligations, but also the differences between data and network security and steps the enterprise has taken to ensure both.
With time, the number of operations within an enterprise that rely on spectrum-based technologies will only continue to increase. As such, careful identification and examination of network vulnerabilities, and equally careful planning for disruption, will serve the enterprise well.
Although Obi-Wan is famously known for his advice to “use the Force,” this sort of reliance, in and of itself, may not be sufficient to remedy challenges posed to the network by matters outside the boundaries of normal operation. So, to quote another Jedi Master, Yoda: “Do, or do not. There is no try.”