Observations from the chair at the far end of the table - AH&LA Cyber Security Task Force

Order a reprint of this story
Close (X)

ORDER A REPRINT

To reprint an article or any part of an article from Hospitality Upgrade please email geneva@hospitalityupgrade.com. Fee is $250 per reprint. One-time reprint. Fee may be waived under certain circumstances.

SEND EMAIL

June 12, 2015
Cyber Security
Jeffrey Stephen Parker, CHTP

Recently, I had the pleasure of being involved with the newly formed AH&LA Cyber Security Task Force.  This group was formed to help curtail the recent tide of negative press coverage impacting hospitality operations, to not just find and act on best practices, but to be an important voice to provide clarifications and solutions with the U.S. Congress and the Federal Communication Commission (FCC). Here are some of the things discussed

Wi-Fi is personal…Duh.
Okay, not a shocker here, delivering high-speed Internet access (HSIA) to our guests has been a major concern for leading technologists in the industry to work with key partners to set strategies to address this issue. The biggest epiphany here is that the U.S. Congress and the FCC finally realized that hotels have HSIA, and now want to participate in what we can and cannot do with it.

The FCC is so busy taking a victory lap over its recent ruling that it forgot to contact the Secret Service, Federal Bureau of Investigation (FBI), Federal Trade Commission (FTC) and the Department of Homeland Security (DHS) on what they thought.

Enforcing the new ruling and taking credit as a consumer hero in the press, the FCC has completely overlooked the issues that this position has hand-cuffed hotels (and other operations) against true protection of the guests. Other major departments and commissions have communicated to the AH&LA, and other hospitality trade organizations that open public HSIA (particularly Wi-Fi) networks are a major target for evil-doers. These organizations want to enlist our help in protecting consumers, businesses and even the government from as many of these attacks as is reasonable. Many of these tools have now been removed from our quiver.

Anyone can be a hacker for $99 plus shipping.
Check out Pineapple, a $99 4-inch x 4-inch x 1-inch box that comes loaded with all kinds of user-friendly tools (Honey Pot, Man-In-The-Middle, Sniffing, Spoofing) to test your network’s ability to prevent attacks. Or… well let’s just say all of the “testers” likely do want to help us protect our networks.

We need so much bandwidth for the bad guys.
More than half of all Internet traffic is related to malware, according to Brian Hendricks with Nokia.

The FCC focused on blocking guest hot spots, but that is not what the document really says.

While the FCC has been laissez-faire on protections and securing of back of house operational networks, the ruling has very specific language and without clarification could be interpreted in a manner that could prevent hotel IT from using active tools to interfere with attacks on our back of house Wi-Fi.
https://www.fcc.gov/document/warning-wi-fi-blocking-prohibited

NIST really wantS to help.
No longer just a repository for documentation on impractical ways to lock down computers and networks, the National Institute of Standards and Technology (NIST) has recently formed the National Cybersecurity Center of Excellence (NCCoE) with the charter to collaborate with industry experts to come up with cost-effective, repeatable and scalable ways to secure real-world networks with real world currently available technology. Currently working on a project with the healthcare industry, NIST is interested in working with hospitality to identify and solve today's most pressing cybersecurity challenges.

Cyberranges sound really cool.
The NCCoE is creating cyber ranges, a virtual environment that is used for cyber warfare training and cyber technology development. It provides tools that help strengthen the stability, security and performance of cyberinfrastructures and IT systems used by government and military agencies.

Cyber ranges function like shooting or kinetic ranges, facilitating training in weapons, operations or tactics. Thus, cyber warriors and IT professionals employed by various agencies train, develop and test cyber range technologies to ensure consistent operations and readiness for real-world deployment. Right, really cool?

We have what (Evil-Doers) want.
Part of the meeting included time with Kathleen Rice, former counsel for the U.S. Senate Select Committee on Intelligence and the FBI, now with the law firm of Faegre Baker Daniels (FBD) and its public policy division as counsel and senior director, respectively. Any part of any legislation involving cyber in the last 10 years had her hands on it. Rice reinforced that cyber criminals are looking for ways to obtain personal and commercial data including financial Information, employee personal records, customer information and passwords, medical records or intellectual property. This information is used for identity theft, corporate espionage, and plain old theft.

Rice stressed that you need to know your data – what do you have and why someone else would want it. Ask your teams, do you really need it, why, what format, to whom is the data accessible? You can't just say everyone on your team has access. It’s not that simple. The hotel industry needs to be crystal clear on how we are protecting this data. When the industry talks to legislators, it needs to discuss why/what we need to collect.

HSIA vendors are still not sure what to do now.
Industry partners are desperately trying to understand how to run our networks in this new environment, what constitutes interference and who is responsible.

We have clients and guests that come into our hotels and want a secure, private network provided. Most of these groups are military, government or pseudo-government groups. If the FCC ruling is followed to the letter, a hotel is legally unable to set up and protect these networks. What is a partner to do? Break the law or lose a customer?
 
The InnKeepers Law does not apply, or can’t if the FCC is right.
Hotel operators simply cannot be required to provide reasonable protection from harm if the FCC says we cannot put network security in place to thwart people trying to do harm.
 
Ted Hopcroft with Starwood has a great idea, and only wants a dollar from everyone who uses it. In an idea for which we all would like to take credit, Ted Hopcroft from Starwood suggested that the industry talks to the FCC to create an organization like ICANN is to URLs, except for SSIDs. For example, Magnolia Hotels registers MagnoliaHotels as a URL, pays a fee, and obtains a certificate similar to a SSL certificate for its broadcast SSID. This is flagged when a guest is looking for networks, right now tools have unsecured and secured networks (indicated with a lock icon or an exclamation point). Why not a new icon indicating certified, like the indicator in browser bars? This would give the guest the option to connect to the real hotel network that the hotel is providing. I know, it's brilliant; please send your checks to Ted once we get this up and running.

5G is coming, and it’s a doozy
According to Brian Hendricks, head of technology policy and government relations North America for Nokia USA, the fifth generation wireless network specifications will work more like an envelope, encompassing Wi-Fi, Bluetooth, 2G-4G, LTE, LTE U, and more.

5G will usher in, what Mr. Hendricks predicts as, 10 times the Internet traffic of today. Speed will not be the primary issue, latency will. You don’t want your self-driving car taking you into a lake because of a latency issue. 5G should create the perception of infinite capacity. 5G will not replace hotel Wi-Fi, we are sorry to break that news.

In the end, the task force is a group of very committed, smart people who are trying to come up with a reasonable solution to a dynamic treat.

Jeffrey Stephen Parker, CHTP,  is the vice president and Chief Funologist for Stout Street Hospitality.

©2015 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent.
For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.

 


want to read more articles like this?

want to read more articles like this?

Sign up to receive our twice-a-month Watercooler and Siegel Sez Newsletters and never miss another article or news story.