Security experts have been warning recently that telecom carriers are becoming an emerging target for distributed denial of service (DDoS) attacks, which attempt to take down a service by flooding it with massive amounts of traffic, thereby rendering it unavailable to legitimate visitors.
On August 15, 2012, AT&T suffered a DDoS attack. AT&T told ComputerWorld that "[d]ue to a distributed denial of service attack attempting to flood our Domain Name System servers in two locations, some AT&T business customers are experiencing intermittent disruptions in service.... Restoration efforts are underway and we apologize for any inconvenience to our customers." Details of the attack were sketchy, but the attack reportedly lasted several hours and affected enterprise customers of AT&T's managed DNS service in the former BellSouth region.
Some wags were quick to note that AT&T apparently was not using its own DDoS protection service, which the company claims "rapidly identifies the sources and attributes of any suspicious transactions, including the newest threats. We can adapt the network behavior to mitigate their effects while valid traffic continues to be delivered, as usual, to your access router. So business continues as normal."
It may be fun to note the irony that AT&T hypes DDoS security services even as it struggles to protect its own network. However, that should not obscure the serious security challenges facing enterprises going forward. There will be further attacks on carriers, and AT&T isn't the only target. So how should enterprise customers respond?
The first step is to realize that "business as usual" cannot work for two reasons: not only are traditional telecom carriers facing new threats to their existing services, they are also offering a vast new array of services (including cloud services and security) beyond their traditional portfolio of network services. That means the telecom-oriented boilerplate that the carriers developed over the years is no longer adequate. A cloud contract (for example) raises different concerns than a telecom contract. Accordingly, it is time for customized contract provisions and service levels that address these new realities.
This won't be easy. As one AT&T executive recently observed, AT&T has spoken telecom for years but is now learning to speak web. The problem is that AT&T will probably speak web with a thick telecom accent for some time to come. And the language of telecom is to shift risk to the customer. For example, a customer who bought web or security services under AT&T's standard Business Services Agreement would find under Section 7(a) that AT&T "makes no warranty"
* "regarding network security," (i.e., there are zero warranties about any aspect of network security.)
* "regarding the encryption employed by any service,"
* regarding "the integrity of any data that is sent, backed up, stored or load-balanced by any service,"
* "that AT&T's security procedures will prevent the loss or alteration of or improper access to your data," and
* "that services will be uninterrupted or error-free."
Enterprises need to consider whether they can stomach such a wide array of carve-outs in the new world of threats and services in which we live.
Moreover, Section 7(b) of AT&T's standard terms disclaim liability (which is legalese for saying "our liability = $0.00") for damages relating to "service defects" or to "service levels, delays or interruptions unless specifically provided otherwise," or "unauthorized access to or theft, alteration, loss or destruction of your or others' applications, content, data, network, or systems." In other words, if any of the foregoing problems occurs, the customer cannot recover anything from AT&T unless there is an SLA in place, in which case the customer only gets what the SLA provides. A final note: the Business Services Agreement says nothing about the security standards and procedures that AT&T is required to undertake as the service provider.
The combination of new threats and new services means that customers must be increasingly vigilant about the standards to which they hold AT&T and other carriers for all of the services that they are providing. Here are several ways to start this process:
* While carriers are loath to let customers mandate how they run their networks, customers should demand accurate, thorough, and timely reports about the causes of outages along with remediation plans and about how "lessons-learned" will be used to improve procedures and prevent future problems;
* Ensure that the customer and carrier coordinate (and, if at all possible, periodically test) disaster recovery plans and procedures
* Demand that service providers commit to providing industry-standard products, services and procedures to protect their networks; and
* Push for comprehensive SLAs (as well as related support from the account team and engineers) that meet the enterprise's operational needs and that identify and solve the root cause of service problems.
In short, enterprises must demand information and accountability about how the carriers manage risk in their network.
Many carriers are eager to branch out from traditional telecommunications services and move to other, potentially higher-value offerings such as cloud and security services. But making this leap requires jettisoning the traditional telecom mindset (including the contract forms).
And some carriers may be "getting it:" Verizon recently announced that its new eHealth cloud service will be HIPAA-compliant and that Verizon would, as part of the services, execute business associate agreements, something that telecom carriers traditionally have refused to do. The true merit of Verizon's offering depends on what it's prepared to do contractually, but this certainly looks like a step in the right direction.
But until all of the carriers make the transition, enterprises must recognize that "one-size-fits-all" contract provisions can have serious gaps and produce unintended consequences.
