As we move ever further towards the fourth industrial revolution there will be no more important issue for countries than ensuring the Cyber-Security of their telecom networks.
Making networks secure will ensure that consumers can conduct their digital lives with confidence that their data is safe and secure – and with so much of our lives now conducted online that is absolutely crucial.
One thing that has become ever more evident in these last few years is that although we hear the term ‘Cyber-Security’ more and more these days that there is still a broad lack of understanding of what this means in practical terms.
Given how much we are going to rely on safe and secure networks as we move to an all-digital economy it is important that people begin to understand how important a proper Cyber-Security framework is to ensuring economic prosperity.
If you read the mainstream media you could easily believe that most Cyber-Security incidents are caused by malicious actors – linked to extrajudicial influence and related to a vendor’s country of origin – but this is a long, long way from the truth.
The actual truth is that in the real world only around 4% of Cyber-Security incidents in the EU are caused by these kind of malicious actors (denial of service attacks and damages to physical infrastructure).
The vast majority (more than two thirds of the cases in EU, and up to 90% of incidents in the UK) of Cyber-Security incidents are caused by hardware and software failures on the network – with nearly 20% caused by human errors.
Also, the data show that country of origin of suppliers is not among main causes for concern in how attacks are carried out, i.e. the “flag of origin” for telco equipment is not the critical element in determining cyber security.
These sorts of statistics should help us to better put this whole problem into a broader perspective and make appropriate decisions when it comes to Cyber-Security standards, laws and regulations, targeting more resilient telco infrastructure.
The Cyber-Security centres in EU, UK and Australia have identified a number of key security risks associated with the telecom supply chain.
Firstly, and far the most important, if there is an over-dependence on a single vendor, as vendors’ supply chain may have the same level of risk, then there will be an immediate problem because if there is a Cyber-Security issue with that vendor then network resilience cannot be guaranteed.
In addition, there must be a strong focus on the quality of the hardware and software ensuring that there are no faults or vulnerabilities in network equipment and attention must be paid to ensure that there are no ‘backdoors’ installed in network equipment.
However, it is important to note that in Europe and UK, the effort is currently shifting from simply removing vulnerabilities to also detecting and responding to the actual harms.
We know that governments all over the world are looking at this Cyber-Security issue with increasing focus and urgency especially over in the UK where two parliamentary committees, Science and Technology (STC) and Intelligence and Security (ISC), have just handed down reports to the UK parliament.
The UK parliamentary committees concluded that for networks to be resilient to any attack – so that no single action can disable the system – that the usage of a diverse range of vendors is critical.
The committee found that the network should not be dependent on just one vendor, as this would render the system less resilient and also concluded that requiring operators to use equipment from more than one vendor increases competition between those vendors and forces them to improve their security standards.
Indeed, as part of an ongoing review the UK Government is now looking to see how it can incentivize operators, and indirectly their suppliers, to improve Cyber-Security standards and create sustainable diversity in the telecoms supply chain.
If we look more broadly on a global scale we have also seen the well-known ‘Five Eyes’ consortium of countries – the USA, UK, Canada, Australia and New Zealand – establish their own criteria for establishing secure networks.
The Five Eyes have made it clear via a Communique earlier this year that there is a need to ensure Telecoms supply chains are trusted and reliable to protect our networks from unauthorized access or interference.
The Five Eyes group also agreed that there must always be an evidence-based risk assessment to support the implementation of agreed-upon principles for setting international standards for securing Cyber-Security on networks and we are seeing a similar approach being taken by the European Union.
Here in Australia the government cannot be accused of standing still on Cyber-Security, they have already taken a wide range of measures including the creation of the Australian Cyber Security Centre (ACSC) and the establishment of Joint Cyber Security Centres (JCSCs) in five capital cities as well as appointing an Ambassador for Cyber Affairs in Dr Tobias Feakin.
The Federal Government has also established three programmes for equipment evaluation and certification base.
In June the ACSC issued guidelines on how organisations should move to ensure the best possible Cyber-Security on their networks with the focus very much on operators knowing their network, understanding and managing their supply chain risk and monitoring their supply chain and controlling it.
The ACSC practitioner guide, also stresses the fact that threat to supply chain is not limited to extrajudicial influence. Foreign interference is not just related to a vendor’s country of origin. As the case studies demonstrate, it is usually simpler to compromise another product or service in the supply chain without lawful interference.
Of course, in terms of the regulation of local Cyber-Security then the most important legislation is the Telecommunications Sector Security Reforms (TSSR) Act.
The TSSR regulations mandate that all Carriers, carriage service providers and carriage service intermediaries (C/CSPs) must take all reasonable steps to protect their networks and facilities from unauthorized access or interference.
In short, this means that all these network operators must flag up any notifiable equipment in their networks to the Federal Government for engagement or mitigations.
The Federal Government is now moving further on its Cyber-Security agenda and wants an updated strategy to cover the current cyber threat climate and has called for public submissions by November 1st.
Of course, from an international telecoms perspective there has already been a huge amount of work done on beefing up security assurance in the 5G era by bodies like the 3GPP and GSMA with better privacy preservation, enhanced interconnection security, resilience, and a more effective access control to user, control and management planes in place.
However, the reality is that as we move into the 5G era, Cyber Security is very much a shared responsibility across the industry – this cannot be addressed and solved by just vendors and operators alone, it must also include strong contributions from governments and standards organizations.
At Huawei we strongly agree with this shared responsibility approach – but it must be done with some critical factors in mind or it cannot succeed.
We must have a competitive market for vendors to ensure the best possible network resilience, end to end, and we must ensure the most diverse supply chain possible in order to incentivize more investment poured into Cyber-Security.
Over the last several decades we have made huge progress by ensuring unified standards across the industry and must follow the same process for Cyber-Security assurance as well by looking to develop risk-based certification schemes to improve cyber security standards.
We need to make sure that we have effective assurance testing for equipment, systems and software and support specific evaluation arrangements and we must also invest as an industry on 5G testbeds and trial programs aimed at delivering end-to-end cybersecurity system assurance.
Accomplishing all of this will be a tall order – there is no doubt about that – but Huawei had dedicated a huge amount of time and resource towards our commitment to Cyber-Security and we are determined to play a major role in delivering trustworthy products for the most resilient networks around the world.
David Soldani is Chief Technology and Cyber-Security Officer at Huawei Australia.
Please click here to see David Soldani’s full presentation delivered to Commsday Melbourne on October 10th.