Conclusions

The goal of the FCC's ONA is to create free market conditions within the telecommunications industry. ONA requires carriers to provide competing ESPs with access to basic communications services on an equal cost basis and in a nondiscriminatory manner. Telecommunications services are unbundled into services that are tariffed and may be purchased individually by enhanced service providers. The essense of the ONA plan created by each carrier is to describe which Basic Service Elements are Offered.

In the Computer III Decision, the FCC noted that ONA was a long-term evolving process. The FCC was primarily concerned with providing unbundled services on an equal access basis and left the implementation details fundamental to providing those services up to the independent carriers. Security was not a driver for ONA and for the most part, the FCC has relied on the carriers to ensure that the services provided are secure. The FCC's requirements for security capabilities have resulted primarily from the requirement that ONA services be provided in a nondiscriminatory manner. For example, the FCC's requirement for the protection of Customer Proprietary Network Information was made to prevent the carriers, who had access to customer proprietary network information for subscribers of the carriers' basic network services, from having an unfair marketing advantage for enhanced services.

The exploitation of vulnerabilities introduced by the FCC's ONA can impact the availability of PSN resources and services, the integrity of data/information, the disclosure of data/information and the fraudulent use of services.

ONA creates network vulnerabilities because it greatly increases the number of users (some of whom will be hostile) who have awareness of the network architecture. In addition to broadening access to telecommunications systems and facilities, ONA increases the levels of access to telecommunications systems and facilities. As users learn more about the operation of network software, those with hostile intent will acquire knowledge that could assist them in abusing resources.

The following list summarizes the most significant vulnerabilities that ONA introduces into the PSN. Note that many of the vulnerabilities listed below existed prior to the FCC's ONA requirements. However, because of the open nature of ONA, these vulnerabilities are significantly increased.

• By giving more users access to the network, ONA increases the potential for unauthorized access of network elements if strong access mechanisms aren't used.

• If strong resource access control mechanisms aren't used, by increasing the level of access to network resources, ONA increases the potential for users authorized to use a network element to obtain access to resources other than those that are needed to perform the job function

• The opening of the network results in the broadening of access to stored data/information. If data is not adequately protected, then the data is vulnerable and the integrity and privacy of the data may be compromised.

• Services supported by ONA networks will require more software than the traditional Plain Ordinary Telephone Services. New software may contain bugs. ONA not only increases the amount of software used, ONA also greatly increases the number of users who have access to network software, and the number of levels of access to the software. By giving more users access to network software, ONA increases the potential for hostile users.

• ONA increases vulnerabilities associated with system integrity. For example, if carriers do not adequately plan for the increased real-time switch capacity associated with the unbundling of services, the integrity of network element systems will be affected.

• ONA involves the provisioning of billable services, and thus ONA increases the potential for fraud and/or financial loss.

• Malicious hackers have the capability to exploit the vulnerabilities associated with ONA.

• Services requiring distributed intelligence are likely to introduce vulnerabilities.

• As Intelligent Network concepts are merged into networks based on ONA requirements, many vulnerabilities will result.

• As the number of new services increases and the complexity of new services increases, the potential for vulnerabilities associated with new services increases.

• ONA increases the potential for vulnerabilities associated with feature interaction problems.

• Weakness in one carrier's networks will potentially insert vulnerabilities into another carrier's networks if the networks are interconnected.

• As an ESP connects to the PSN, weakness associated with the ESP's telecommunications networks and services will insert vulnerabilities into the PSN.

• Depending on the degree that a carrier investigates the credentials of an ESP, as well as the degree of security provided by the ESP, before allowing the ESP access to the PSN, ONA increases the potential for unauthorized access.

• Each ONA implementation may have its own vulnerabilities.

• OAM& systems and services may introduce new vulnerabilities.

• The implementation of new technologies and further unbundling will result in new NS/EP telecommunications security concerns.