UK And EU Will Connect With Cybersecurity After Brexit

The UK is committed to working with cyber security partners in Europe after Brexit, according to Ciaran Martin, CEO of the UK’s National Cyber Security Centre (pictured).

“Whatever form the future relationship between the UK and the European Union  takes beyond 29 March this year, the prime minister and her cabinet have long made clear that our support to European security as a whole is unconditional,”

Martin told cyber security experts from the EU and Nato, international organisations and the global IT industry at the CyberSec Brussels Leaders’ Foresight 2019 event organised by the Kosciuszko Institute. Within the cyber security sphere, Martin said it was “objectively true” that nearly all the functions of the NCSC fall outside the scope of EU competence.

“It follows that our enhanced cooperation with European partners, and the EU as a whole, in cyber security over recent years is not automatically affected by the UK’s changing relationship with the EU,” he said.

“Pretty much everything we do now to help European partners, and what you do to help us, on cyber security can, should, and I am confident will, continue beyond 29 March.”

In the past, said Martin, the UK has shared classified and other threat data with EU member states and institutions and played a role in the development of European thinking in areas such as standards and incident response.

“As the next phase of the UK’s relationship with the rest of Europe takes shape, we will want to take these partnerships further and to develop new ones,” he said.

Continuing the conference’s theme of cooperation, Martin said that whatever final form the UK’s relationship with the EU takes, the UK and the EU need to be at the forefront of global efforts to build a free and safer internet in the light of US and Chinese domination of technological development.

In particular, he said, all European nations will need to act with others outside the continent to deal with structural challenges to the future of internet security in telecommunications infrastructure and the wider internet environment. The challenge in telecoms infrastructure lies in finding ways to ensure the security of 5G networks, said Martin.

Like many countries, the UK is looking at the “right policy approach” to 5G security and the government’s report on that is due to be released in March, he said.

In recent months, multiple countries, including prominent UK allies and members of the so-called Five Eyes group (Australia, Canada, New Zealand, the UK and the US), have taken action to strip back Huawei’s exposure to critical national infrastructure, or ban the company’s networking kit.

“Contrary to some reporting, no decisions have been taken,” said Martin, referring to a report in the Financial Times that said the NCSC believes it is possible to mitigate the risks associated with using hardware made by Chinese networking equipment and services supplier Huawei, citing sources said to be familiar with the conclusions of the government report on 5G security.

“As its public terms of reference make clear, it is a holistic review, taking account of economic, security, quality of service and other factors,” said Martin. “It is considering a full range of policy options. Everything is on the table.”

He said the NCSC’s role is to offer “expert, objective and technologically literate” input into the security considerations around 5G in line with the organisation’s wider mission to bring “objective rigour” to complex technical issues.

Setting telecoms security in the context of the threat picture, Martin said that in the past two years, the UK government has attributed state-sponsored malicious cyber activity against the UK to Russia, China, North Korea and Iran, adding that there is also a serious and sustained threat from organised cyber-crime.

“The supply chain, and where suppliers are from, is one issue, but it is not the only issue,” he said. “Last year, the NCSC publicly attributed some attacks on UK networks, including telecoms networks, to Russia. As far as we know, those networks didn’t have any Russian kit in them, anywhere. The techniques the Russians used to target those networks were looking for weaknesses in how they were architected and how they were run.

“So we are not naïve – far from it,” said Martin in response to a report from the Royal United Services Institute (Rusi), a defence and security think tank, which said it was naïve at best and irresponsible at worst to make the assumption that China will not try to leverage Huawei’s participation in critical national infrastructure (CNI) projects, such as 5G mobile network roll-out, in some way.

“In the 1,200 or so significant cyber security incidents the NCSC has managed since we were set up, the country of origin of suppliers has not featured among the main causes for concern in how these attacks are carried out,” he said.
“That is one example of our objective, evidence-based analysis of the threat. We take a similar objective, evidence-based approach to the technical security requirements for 5G. Taking threat and requirements together, this leads us to conclude that there are three technical pre-conditions for secure 5G networks.”
First, said Martin, there need to be higher standards of cyber security across the entire telecommunications sector. 

“The biggest threat to our cyber security is weak cyber security,” he said. “Practices must be improved. That is the real lesson of the 1,200 cyber security incidents. The market does not currently incentivise good cyber security. That has to change.”
Second, telecoms networks must be more resilient, he said.

“From the point of view of managing corporate risk or, in our case, national risk, it essentially doesn’t matter whether the vulnerabilities are deliberate or the result of honest mistakes. What matters is that those vulnerabilities can and will be exploited,” said Martin.

“But the networks can and should be designed in a way that will cauterise the damage. That is what we need to do. Put it another way – if you’ve built a telecommunications network in a way that the compromise of one supplier can cause catastrophic national harm, then you’ve built it the wrong way. Resilience is key.”

Third, he said, there must be sustainable diversity in the supplier market.

“Should the supplier market consolidate to such an extent that there are only a tiny number of viable options, that will not make for good cyber security, whether those options are Western, Chinese or from anywhere else,” said Martin. “Any company in an excessively dominant market position will not be incentivised to take cyber security seriously. And, at the same time, that company could also become the prime target for attack for the globe’s most potent cyber attackers.”

These pre-conditions are technical and generic, he said. “They are about the technology and the architecture and the structure of our networks. They are about creating the necessary conditions for a safe 5G network.”

Noting that the UK’s telecoms infrastructure is highly internationalised, Martin said there is already a framework in place for managing risk, based on an objective understanding of how telecoms networks work.

“As our guidance to operators shows, we assume that every bit of kit in any network can fail,” he said. “And so, what is vital is that the failure of individual bits of kit, either because of a malfunction or because of an attack, will not cause catastrophic harm.”

One well-known specific aspect of the UK’s current mitigation framework is how Huawei’s presence in UK networks is managed, said Martin. He pointed out that Huawei’s presence is subject to detailed, formal oversight, led by the NCSC.

“Because of our 15 years of dealings with the company and 10 years of a formally agreed mitigation strategy which involves detailed provision of information, we have a wealth of understanding of the company,” he said.

There are also strict controls for how Huawei is deployed, he added. “It is not in any sensitive networks – including those of the government. Its kit is part of a balanced supply chain with other suppliers,” he said.

“Our regime is arguably the toughest and most rigorous oversight regime in the world for Huawei. 

“And it is proving its worth. Last July, our annual Oversight Board downgraded the assurance we could provide to the UK government on mitigating the risks associated with Huawei because of serious problems with their security and engineering processes.

“As we said then, and repeat today, these problems are about the standard of cyber security; they are not indicators of hostile activity by China. The company has accepted these findings and has pledged to address them, acknowledging that this will be a process of some years.”

Martin added: “We will monitor and report on progress and we will not declare the problems are on the path to being solved unless and until there is clear evidence that this is the case. We will not compromise on the improvements we need to see from Huawei. And, based on our hard-headed assessment of risk and our detailed knowledge of how networks work, we are putting in place our own plans for helping our operators to manage these risks.”

In terms of the structural challenges to the future of internet security in the wider internet environment, Martin said the push to improve standards in cyber security should be a global effort.

“The internet was not built with security in mind,” he said. “That is no one’s fault. It wasn’t malicious, it’s just the way it happened. A model evolved over time where the price of entry for online services became the provision of personal data.”
The limitations of that model are becoming more apparent as time passes, said Martin, and have created structural security problems in the way the internet works.

He said the NCSC focuses on the technical solutions that the market has not provided with the aim of making the internet automatically safer for people to use.

“It’s not fair on busy individuals with complicated, rushed lives and other priorities if we expect them to make judgements every day about how trustworthy one of the hundreds or thousands of bits of communication they get every day are,” he said.

“That is what is behind our active, or automated, cyber defence programme. Its aim is to provide a framework to take away most of the harm from most of the people most of the time.”

As part of the Active Cyber Defence programme, the NCSC has developed a system to use its threat data to block connections to malicious sites from government networks, said Martin.

“We are now protecting 1.3 million government internet users. In 2018, we blocked 11,000 unique malicious domains every month. In the course of the year, we blocked 54 million malicious connections.”

Martin concluded: “So whether it’s future telecommunications infrastructure, or digital security more generally, we want to work with everyone across Europe and beyond to push these changes, to deliver the digital world we all want to see, one that is not just free and prosperous, but safer as well.”

Computer Weekly

You Might Also Read:

No Brexit Deal? Then Its ‘Digital Dover’:

 

« Israel's Cyber-Hotline
No Easy Button Solution To Cybersecurity’s Skills Shortage »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Veridify Security

Veridify Security

Veridify Security (formerly SecureRF), develops and licenses quantum-resistant, public-key security tools for the low-resource processors powering the Internet of Things.

Bericon Forensics

Bericon Forensics

Bericon is one of the longest established forensic science consultancies in the UK. Activities include computer and mobile phone forensics.

Ovarro

Ovarro

Ovarro is the new name for Servelec Technologies and Primayer. Ovarro's technology is used throughout the world to monitor, control and manage critical and national infrastructure.

Cybertron

Cybertron

Cybertron services include real-time monitoring and incident response and a cyber range for competency development.

Corvus Insurance

Corvus Insurance

Corvus' mission is to create a safer, more productive world through technology-enabled commercial insurance.

WISeKey

WISeKey

WISeKey is a leading cybersecurity company currently deploying large scale digital identity ecosystems for people and objects using Blockchain, AI and IoT.

Civic Technologies

Civic Technologies

Civic’s Secure Identity Platform (SIP) uses a verified identity for multi-factor authentication on web and mobile apps without the need for usernames or passwords.

Navixia

Navixia

As a leading Swiss IT security specialist, Navixia offers a global and pragmatic approach to information security.

Nexum

Nexum

Nexum takes a comprehensive approach to security, from detecting and preventing network threats, to equipping you with the information, tools and training you need to effectively manage IT risk.

World Informatix Cyber Security (WICS)

World Informatix Cyber Security (WICS)

World Informatix Cyber Security provides a range of cyber security services to protect valuable information assets to global business and governments.

VIRTIS

VIRTIS

VIRTIS' mission is to provide today's leading organizations peace of mind that their entire digital network perimeter is safe from hackers and data breach.

CertNexus

CertNexus

CertNexus is a vendor-neutral certification body, providing emerging technology certifications and micro-credentials for business, data, developer, IT, and security professionals.

Leaf IT

Leaf IT

Leaf IT are a pioneering cloud-first MSP, dedicated to helping businesses in the UK and Ireland. We focus on delivering tangible results for our clients through IT transformation.

42Crunch

42Crunch

42Crunch provides API security testing and threat protection. We proactively test, fix and protect your APIs from development to runtime.

Dryad Global

Dryad Global

Dryad Global offers a comprehensive suite of maritime intelligence solutions, including a best-in-class situational awareness, planning and security system and industry-leading cyber protection tools.

Stratsec

Stratsec

Stratsec is a global team of experts on a mission to protect human life, well-being and the environment against cyber-driven threats.