Harry Emerson
Emerson Development

At a time of economic downturn when insurers are struggling togrow revenue, the security issues generated by Internet phoneservice, aka Voice over Internet Protocol or VoIP, could very wellcreate a new frontier for insurance carriers.

Most of you are familiar with the popular Internet phone serviceknown as VoIP, a low-cost, discounted service that is rapidly beingadopted just about everywhere. The use of VoIP telephones isgrowing because of their generous price structure and the relativeease of entry for new users. But there is a dark side tonearly-free telephony which has escaped our general attention as wejoyfully embrace its ever-cheaper cost of doing business.Unfortunately for the user, society will be noticing this dark sidemore and more as organizations and institutions across the globecontinue to adopt VoIP for their primary means of telephonecommunication. Lured by the siren call of low cost or no-costservice, and the absence of any FCC regulations whatsoever, thepublic and private sectors have closed their collective eyes to theglaring absence of safeguards built into this cheaper / cheapestbusiness model, and like lemmings are enthusiastically racingtowards the cliff of cyber-insecurity.

What we are not looking nor seeing is that in the process ofchanging over to VoIP, users are unwittingly shifting from thereliable and secure traditional telephone network to an Internetenvironment of extreme risk. As it becomes more prevalent, weanticipate that VoIP will be increasingly vulnerable to hostileacts. This is because due to the architecture of the Internet,every person and every system has direct access to one another,implicitly giving all of us a trusted relationship with everyhacker and terrorist in the world. By joining the VoIP party, wenot only give those with malicious intent the direct access to ourexisting systems, computers, and networks--which we have alreadyconceded--but we extend that access into the private realm oftelephone communications.

The honeymoon is over. It is now being recognized that friendly,affordable, easy-to-use VoIP shares all the risks of the Internet,exposing all the features of voice communications to hacking andexploitation with the potential for disastrous results.

This is bad news for VoIP users, but indications are that itwill be good news for insurance carriers who will be called upon toprotect against the risk of financial loss by VoIP users, VoIPmanufacturers, VoIP distributors, installers, designers, andsellers. Consequently, according to Glenn Tippy, president andmanaging partner of Gerrity, Baker, Williams Inc. (www.gbwinsurance.com), and boardmember of the Professional Insurance Agents of New Jersey Inc., wecan foresee that "insurance carriers will increasingly price forInternet / VoIP telephone exposure; cyber insurance products willbe created for users of VoIP, as well as for VoIP providers andvendors; and The effects upon our economy will be profound."

What we are talking about is a major shift in the perception ofsafety vs. risk as the hazards built into the current VoIP systemare acknowledged. We are also talking about a major new marketopening for insurers.

We are not alone in our assumption of perceived risk. Withbusinesses and government spending vast amounts of money to protectthemselves against what feels like a growing army of terroristsinvading the technology we all depend upon, the Obamaadministration is rightfully zeroing in on cyber security, cybercrime, and cyber warfare as a major part of its homeland securitypriorities. Meanwhile, the situation is getting worse, not better,which is why it has now been elevated to the level of a nationalsecurity concern. Should we be worried about Internet phone serviceas it is now configured? Unfortunately, the answer is "Yes."

Being server-based, Internet telephony is susceptible toespionage, hacking, eavesdropping, intrusion, interruption,identity theft, denial-of-service attacks, and other forms ofmalicious and criminal interference via any and all the techniquesthat hackers employ. The role of hackers is to devise schemes tobreak into Internet servers. Therefore, no one should be surprisedthat with the accelerating trend towards widespread use of VoIPtechnology, they will turn their attention to VoIP servers. AllInternet servers are susceptible to hacking. The fact that VoIPrelies upon servers accessible on the Internet endangers personal,corporate, and national security, which will have a direct andincreasing impact upon the insurance industry and those it serves."VoIP is making it easier to wage cyberwar..." an analyst reportedas far back as 2004, "just as flaws that make some VoIP productsvulnerable were revealed." - (Network World 1/19/2004). The growthin malware and cyber attacks is exponential. According to F-SecureCorporation, malicious software attacks tripled in 2008[1]. Midway through 2009 McAfee's Avert Labsreported that attacks have tripled since 2008.

We have begun to see many examples of cyber crime including theexploitation of VoIP throughout society and the world. Two extremecases are now recognized as early warning signals: In 2007 Russiautilized cyber-warfare against Estonia and in 2008 against Georgia,and completely shut down the infrastructure of those countries.More to the point for the insurance industry, according to a recentreport by the security firm McAfee and Purdue University, theft ofintellectual property, fraud, and damage of corporate networks costcorporations over a $1 trillion globally in 2008. To give thisdiscussion more focus, think about the implications for the legalprofession, the banking industry, hospitals, pharmaceuticalcompanies and medical practices, the non-for-profit sector,manufacturers, governments, the military, and private individualsas they migrate to VoIP in greater numbers; and consider the impacton the insurance industry as client losses due to VoIP begin topile on top of that $1 trillion.

Meanwhile a growing backend industry is developing to createpiecemeal fix-it technologies which are costly to plan, to acquire,and to administer, and which will be unavoidably inadequate due tothe very nature of VoIP. It might be possible to harden some piecesof infrastructure that an organization has control over (keeping inmind that most small entities will not have control over anything),but you can't protect against VoIP calls to or from locationsoutside those boundaries, nor can you protect against publicsystems on the Internet such as DNS (domain name servers). And youcertainly can never protect against risks such as eavesdroppingwhen the other party uses VoIP (whether or not you do) because youhave no way of knowing if their systems or service providers havebeen compromised. Furthermore, hardening doesn't prevent thepossibility of an employee contracting a virus or Trojan horse thatcan share all your phone calls with an invisible third-party.

However, at Emerson Development, we advocate planning forfeatures and services incorporating front-end provider-basedsecurity by enhancing the existing public telephone network tosupport broadband Internet connections. That plan can be seen andstudied here.

Meanwhile, the flourishing VoIP online telephone service willsoon be recognized to be broken. Protections will be needed for theinevitable problems arising for the growing numbers of VoIPhardware and software developers, carriers and end users. Theinsurance industry will have its work cut out for it in aprofitable new arena focusing on the telephone sector of Internetcommunications and the issues of cyber-security.

[1] http://www.f-secure.com/en_US/security/security-lab/latest-threats/security-threat-summaries/2008-4.html

About the author:
Emerson Development founder and managing partner, Harry Emerson, isan expert in computers, voice and data communications, and theInternet. His career history includes 25 years in variousmanagement and strategic capacities at AT&T and the design andmanagement of large-scale, multi-million dollar enterpriseapplications and data systems. His most recent project is thedevelopment of a plan to modify Online telecommunications on theprovider side, so that the Internet's broadband capabilities can beused without jeopardy.
Contact: Jacqueline Herships Communications
973-763-7555 [email protected]