The risk of focusing too explicitly on one area, vendor or technology is a lack of attention elsewhere, but here, the National Cyber Security Centre seem to have finally admitted it’s not all about Huawei.
This is the precarious position the UK is in. Many in the industry are focusing on the threat of Huawei due to indirect links to the Chinese Government, and seemingly not taking into consideration of the risks elsewhere. Huawei should be considered a risk when we are discussing critical infrastructure, but so should Nokia, Ericsson, Cisco and any other technology vendor.
To date, most discussions have focused on whether exposure to Huawei or Chinese companies should be limited, but the real key to these discussions should be how to mitigate risk irrelevant as to where is comes from.
“In other words, if this sort of disruption is possible via Huawei, then it’s possible in all sorts of other ways too that should also be of grave concern,” said Ciaran Martin, CEO of the NSCS. “And it means we’ve built the networks the wrong way. The technical job of the NCSC is to make sure they are built in the right way.”
Martin is not wrong here. Focusing on one company protects you from that company, but due to the complexities of global supply chains in the industry today, the source of threats should be considered from everywhere. Risk mitigation should be across the board and set at such a level it doesn’t matter where you are buying products, components or services from.
Admittedly, what we have said here is perfect world scenario. No-one or nothing should be considered 100% secure. But the theory and practice of risk mitigation should be applied as a standard across the industry, without prejudice given or favour offered to anyone.
Here are the risks which have been highlighted by Martin:
- Accidental failures due to operational mistakes are a risk whoever the vendor
- It should not be ignored that hostile states can insert and exploit malicious code covertly in equipment from Western vendors
- Human operatives can be placed into any organization, not just the ones from the country of interest
Another area which we would like to point to which has not been addressed by Martin is the criminal element. There are of course nefarious individuals in the UK, Sweden, Italy or Germany who would want to profit from these vulnerabilities. These are guns for hire on the dark web who might insert vulnerabilities and then sell access to the highest bidder. And these people could work for anyone or be of any nationality.
Adding credibility to Martin’s assertions is the complexities and diversity of an international supply chain today. There are few international businesses (if any) which will not be touched by China or a Chinese company today. Some suggest Huawei could be coerced by the Chinese Government to aid it with intelligence gathering activities due legislation, though this theory can be applied to any Chinese company.
If you believe the power of this law, we are going to remain on the fence for the moment, it would imply that any company which has a Chinese component to its supply chain could theoretically be a risk. And it might not be in the most obvious way.
At Mobile World Congress this year, we had a sit down with security company Sophos who highlighted that hackers are becoming increasingly sophisticated. If a vulnerability can be introduced to a supplier of a major vendor, the company which does its accounting software for instance, the threat can be escalated.
It might be a fair assumption that security at a small, niche supplier is not as stringent as at international corporations. Using the niche supplier as a Trojan Horse could be a way in which protections are navigated in pursuit of a bigger prize.
This is a risk because it demonstrates the complexities of the digital world and managing an effective supply chain at multi-national corporations.
The point which Martin is making is an important one. Everyone is focused on China and Chinese companies, but that is dangerous. The risks are everywhere and no vendor, irrelevant of their origin should be considered a safe bet.