The Department of Home Affairs Australia’s 2020 Cyber Security Strategy review is certainly a step in the right direction to making sure that Australia has the right Cyber Security policy settings in place for the future.
As Australians conduct more and more of their daily lives online, Cyber Security is becoming ever more critical and with the Internet of Things promising to connect billions more devices to the Internet that importance will only grow more.
Cyber Security has become an issue that governments and regulators all over the world are now looking ever more closely at as they seek to cope with potential threats that are out there.
Every country will look to take a different approach – there is no one size fits all approach on Cyber Security – but we are already seeing governments and policy-makers from around the world come together on some key commonalities around ensuring the best possible Cyber Security outcomes.
Indeed, in these troubled times of a pending UK exit from the European Union there are few areas where the UK and the European Union are in agreement – but Cyber Security is certainly an area in which there is plenty of common ground between the two.
Both the European Union and two separate UK Parliamentary committees have issued recommendations on best practice in Cyber Security and both agree on one particular point: It is critical for countries to use the widest possible selection of vendors for 5G to mitigate Cyber Security risks.
There are a number of reasons why having the widest possible selection of vendors helps to deliver the best outcomes on Cyber Security.
1] Spreading the burden amongst multiple vendors means no country is overly reliant on a single vendor – increasing network resiliency to any attack and mitigating risk very effectively.
2] Having competition between vendors encourages race between vendors to deliver quality products and better Cyber Security outcomes.
3] Vendor competition encourages greater investment from operators on local Cyber Security – the greater the investment then the better the protection delivered.
Unfortunately, despite lots of good work being done in the Cyber Security space here in Australia we are moving in entirely the wrong direction when it comes to having the widest possible choice in terms of 5G vendor selection.
Following the exclusion of Huawei from the 5G market in August 2018 we have seen a substantial reduction in competition in the local market to the point where one company is now assuming an extremely dominant position in the local 5G market – this is not where we need to be headed.
Countries around the world realize that simply banning a vendor because of their country of origin does absolutely nothing to improve Cyber Security on telecom networks.
The truth is that the “Flag of Origin” for Telco equipment is not the critical element in determining Cyber Security, this is why we are seeing so many countries now making sure that no vendors are excluded simply on nationality grounds.
Cyber Security is a global problem and therefore needs global standards and a global solution and you are not going to get that by excluding one of the world’s biggest vendors just because its headquarter is based in China – there needs to be a collaborative approach to achieving the best Cyber Security.
In our view, the Australian Government has already achieved a lot in the Cyber Security space including the opening of the Australian Cyber Security Centre (ACSC), the creation of Joint Cyber Security Centres (JCSCs) in five capital cities and the AU$50 million investment in the Cyber Security Cooperative Research Centre (CSCRC).
So, the infrastructure is already in place for the private (industry, research and small and medium enterprises) and public (government and regulator) parties to conduct the work that is needed – that is a fantastic start, we have built the factories so now we have what we need to get to work.
What does that mean in practice? Well, here are some of the things that we need to start doing to achieve what the Australian Government wants to achieve.
1] Adopt global standards and introduce a new set of network security and resilience requirements on 5G and fibre networks for telecoms operators – overseen by the Australian Communications and Media Authority and the Federal Government.
2] The Federal Government should engage with the industry to understand Telecoms supply chain risks and the arrangements adopted by operators to mitigate them, and gain regular updates on operators’ major supplier arrangements.
3] The Federal Government should encourage providers to participate in threat intelligence-led penetration testing schemes and, subject to third party contract arrangements, test operators’ vendor specific arrangements.
4] Operators should be required to work closely with vendors, supported by Government, to ensure effective assurance testing for equipment, systems and software and compliance.
5] Network operators should develop a targeted diversification strategy in order to reduce the over-dependence from 1-2 vendors, and ensure there is a more competitive, sustainable and diverse Telecoms supply chain.
6] The Federal Government should incentivise entry and growth, including market design and R&D support, cybersecurity evaluation and innovation centres; promoting interoperability and demand stimulation.
7] The Federal Government should support market expansion in 5G – including improving access to spectrum, removing barriers to roll-out and promoting new infrastructure models.
9] There should be more investment on 5G Testbeds and Trials Programme, in partnership with the industry, looking at end-to-end cybersecurity assurance and compliance to law, standards and regulations.
10] The Federal Government and industry should explore the need for a new national telecommunications lab, with the support of industry and academia. The lab should bring together operators, vendors, industry ‘verticals’ (e.g. manufacturing, healthcare and logistics) and universities, to explore new applications and business models for 5G and beyond.
None of what we are proposing will be achieved overnight, all of this will take some considerable time – not to mention significant resources – to achieve but we must put this kind of comprehensive framework in place to get the best Cyber Security outcome possible.
There are no simple and definite solutions when it comes to Cyber Security – simple solutions such as banning certain vendors provide only an illusion of security, they offer no real protection and hamper the prosperity and economic growth of a country.
The threats that we face are complex and extremely persistent so our response to those threats must be comprehensive and strategic – if they are not then we are lining ourselves up for a multitude of problems down the track.
Since the Telecoms sector today is an enabler for the entire digital economy and society, Australia needs to act quickly with new policies and regularity frameworks to secure its global competitiveness and prosperity in the near future.
It is essential that policymakers get the new Cybersecurity strategy right and invest in developing skills and local industrial capacity if they want to provide opportunity for all in the era of the Fourth Industrial Revolution.
In Australia, ensuring cybersecurity and finding a balance between technology integration, human capital investments and the innovation ecosystem will be critical to enhancing productivity in the next decade.
Dr. David Soldani is Chief Technology and Cyber Security Officer at Huawei Australia.