“If you’ve built a telecommunications network in a way that the compromise of one supplier can cause catastrophic national harm, then you’ve built it the wrong way”
“Last year, the NCSC publicly attributed some attacks on UK networks, including telecoms networks, to Russia. As far as we know, those networks didn’t have any Russian kit in them, anywhere”.
That was NCSC CEO Ciaran Martin, speaking at European Cybersecurity Forum CYBERSEC 2019, amid a growing outcry over the alleged security risks of including Huawei equipment in 5G infrastructure.
Lest the point was not clear enough: “In the 1,200 or so significant cyber security incidents the NCSC has managed since we were set up, the country of origin of suppliers has not featured among the main causes for concern in how these attacks are carried out” he added yesterday in Brussels.
Any decision to ban (or otherwise) Huawei equipment from future 5G infrastructure – as the US has done, and urged its partners to do – will be made in the spring following a policy process being led by the Digital Department and its Secretary of State, he emphasised; it’s not, in short, solely the NCSC’s call and other issues will come into play.
But the comments were the strongest signal yet from the NCSC that it does not believe individual hardware infrastructure or supply chain issues are, or should be, the security priority when it comes to building next-gen telecoms infrastructure.
In a lengthy speech, in which the word “objective” (“objectively true”; “objective, evidence-based”; “objective, technologically literate”) came up frequently, Martin pointed to three technical pre-conditions for secure 5G networks.
NCSC CEO: Want Secure 5G? These are the Three Technical Priorities
5G will be hugely important from a security perspective given the sorts of networks dependent on it, the CEO noted; from large-scale use of autonomous vehicles, cloud-based desktops, the underpinning of smart cities, etc.
So what are the priorities for security?
“First, we must have higher standards of cyber security across the entire telecommunications sector. The biggest threat to our cyber security is weak cyber security. Practices must be improved… The market does not currently incentivise good cyber security. That has to change.
“Second, telecoms networks must be more resilient. We must assume that a global supply chain will have multiple vulnerabilities, whether intentional or, more likely, unintentional. Networks are built by human beings and human beings make mistakes. No network can be totally safe.
“Networks can and should be designed in a way that will cauterise the damage. That is what we need to do. Put it another way, if you’ve built a telecommunications network in a way that the compromise of one supplier can cause catastrophic national harm, then you’ve built it the wrong way.
“Third: There must be sustainable diversity in the supplier market. Should the supplier market consolidate to such an extent that there are only a tiny number of viable options, that will not make for good cyber security, whether those options are Western, Chinese, or from anywhere else. Any company in an excessively dominant market position will not be incentivised to take cyber security seriously. And at the same time that company could also become the prime target for attack”.
“Let’s Work Together”
The speech at the event in Bulgarian capital Sofioa was not all about Huawei: Brexit, and intelligence sharing, naturally, cropped up too.
“Our commitment to working with partners here on the European continent is unshakeable. Whatever form the future relationship between the UK and the European Union takes beyond 29 March this year, the Prime Minister and her Cabinet have long made clear that our support to European security as a whole is unconditional” the NCSC’s CEO noted.
If there was a subtle second point to be raised, it was, perhaps, “you need our skills”. As he put it: “It is objectively true that nearly all of the functions of the UK’s National Cyber Security Centre fall outside the scope of EU competence.”
Make of that what you will…
Huawei Promises British Investment
In other Huawei news, the Chinese company’s founder Ren Zhengfei told the BBC this week: “We still trust in the UK. If the US doesn’t trust us, then we will shift our investment from the US to the UK on an even bigger scale.”
Huawei claims to have invested and procured £2 billion in the UK and plans to spend another £3 billion with British suppliers over the next five years. A release emailed to Computer Business Review added: “Huawei has committed to spend at least an additional $2 billion (£1.55 million) in this country to transform the way that it develops its software. Through its training schemes and partnerships with leading universities, the company is also helping the UK develop skills for the future as it delivers the technology that will drive British growth and prosperity.”
“Huawei’s commitment to the UK is built on trust and transparency. For the last five years, the company has funded a centre overseen by GCHQ that provides the security services with complete access to Huawei technology. No other technology supplier in the UK is open to this degree of independent scrutiny.”