Top Australian Spy Condemns Britain's Huawei Decision

A former top spy has condemned Britain's decision to involve Huawei in the consruction of its national 5G network, warning Beijing's state-orchestrated campaign of hacks and all-encompassing intelligence laws shows Chinese companies cannot be trusted in cyberspace.

Simeon Gilding, who until last month was head of the Australian Signals Directorate's (ASD) signal intelligence and offensive cyber missions, has offered a rare insight into spy agencies' decision to effectively ban Huawei from supplying equipment to Australia's 5G network, despite the company's and Beijing's protestations.

Gilding was part of an ASD team that designed pages of cybersecurity mitigation measures which would "give the government confidence that hostile intelligence services could not leverage their national vendors to gain access to our 5G networks…But we failed," he wrote.

Huawei's Australian arm has seized upon the UK's decision to allow the company a limited role to supply equipment for the non-core parts of the network in a bid to convince the Australian government to reverse the ban.

But Mr Gilding, who led ASD's assessment of Huawei, said the UK government had "doubled down on a flawed and outdated cybersecurity model to convince themselves that they can manage the risk that Chinese intelligence services could use Huawei's access to UK telco networks to insert bad code".

In a recent article for the Australian Strategic Policy Institute, Mr Gilding said the ASD had tried to design cybersecurity controls that would give the government confidence a hostile state intelligence agency would not be able to access networks through vendors' technology but failed. He cites China's controversial 2017 laws which require Chinese companies to cooperate with national intelligence work at Beijing's behest as an insurmountable challenge.

He said China had destroyed trust in cyberspace through its "scaled and indiscriminate hacking of foreign networks and its determination to direct and control Chinese tech companies.

Mr Gilding said legally compelled access to 5G vendors was "game changing for Chinese intelligence agencies because hacking is an increasingly tough business", likening it asking a fox to babysit your chickens. "Old style cybersecurity evolved to deal with threats from outside the network. But none of this works if the threat is inside your network....It is simply not reasonable to expect that Huawei would refuse a direction from the Chinese Communist Party, especially one backed by law."

While Huawei has complained Canberra has never told them about any security-related requirements to allow them to become involved in the 5G network, when the ban was announced by the previous government in August 2018, it explicitly nominated the risk posed by vendors "likely to be subject to extrajudicial directions from a foreign government".

Mr Gilding also rebuffs the British view that it is possible to minimise risk by splitting 5G networks into core and non-core functions, saying the technology's full potential for high speeds will only be reached if sensitive functions happen at the edge close to the consumer.

Britain's decision is based on a misunderstanding of the architectural differences between 4G networks, and full 5G networks where the distinction between "core" and "edge" disappear, Gilding wrote. "With 5G, all network functionality is virtualised and takes place within a single cloud environment. That means there is no physical or logical separation between the core and edge of the network." 

Huawei argues that despite being headquartered in an authoritarian country where the Chinese Communist Party’s intelligence and military apparatus reign supreme, it operates free of government influence.

 But Gilding does not agree - he  insists the problem is not with Huawei, but with the Chinese state’s record of cyber-attacks on Australia, and the fact that it has the power to direct private firms to follow its commands. The British decision to involve Huawei was, according to Gilding, based on the mistaken assumption that a country can apply “traditional” defences to stop a cyber-attack launched with the help of a company running part or all of a 5G network. 

IT News:        Sydney Morning Herald:        ZDNet:       Australian Financial Review:

You Might Also Read:

Is Widespread Suspicion Of Huawei Justified?:

 

 

 

« Fake News And The 2020 Presidential Election
The New Wave Of Attack Vectors »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

SSL247

SSL247

SSL247 is Europe's leading Web Security Consultancy Firm. We enjoy long-standing partnerships with Certificate Authorities including Symantec, GlobalSign, Entrust Datacard, Comodo, Thales and Qualys.

LogRhythm

LogRhythm

LogRhythm's security platform unifies SIEM, log management, network and endpoint monitoring, user behaviour analytics, security automation and advanced security analytics.

Dataglobal

Dataglobal

Dataglobal is an industry-leading provider of Information Archiving/Governance and Unified Data Classification solutions.

Waratek

Waratek

Waratek is a pioneer in the next generation of application security solutions known as Runtime Application Self-Protection or RASP.

Abusix

Abusix

Abusix specializes in Internet security, network abuse handling, antispam and fraud prevention.

Cyberteq

Cyberteq

Cyberteq is an innovative Information and Communication Technology Consulting Company, enabling it’s customers to take full advantage of the latest technologies in a secure manner.

Araxxe

Araxxe

Araxxe delivers Revenue Assurance, End-to-End Billing Verification and Interconnect Fraud Detection solutions to communication companies worldwide.

Swiss Cyber Think Tank (SCTT)

Swiss Cyber Think Tank (SCTT)

The Swiss Cyber Think Tank is a business network for Cyber Risk & Insurability, providing an industry-wide networking platform for insurers, technology and security firms.

Crypto4A Technologies

Crypto4A Technologies

Crypto4A quantum-ready cybersecurity solutions significantly improve protection for Cloud, loT, Blockchain, V2X, government and military application deployments.

CyberASAP

CyberASAP

CyberASAP provides expertise, knowledge and support to convert academic ideas into commercial products in the cyber security space.

SECFORCE

SECFORCE

SECFORCE is a leading information security consultancy specialising in bespoke penetration testing and red team engagements.

Grayshift

Grayshift

Grayshift is the leading provider of mobile device digital forensics, specializing in lawful access and extraction.

Apptega

Apptega

Apptega is an award-Winning Cybersecurity and Compliance Platform. Our mission is to make cybersecurity and compliance easy for everyone.

SIA Group

SIA Group

SIA Group, an Indra company, combines Consulting, Systems Integration and Managed Services in four specialized business areas: Information Security, Storage, IT Management and IT Mobility.

Securance Consulting

Securance Consulting

Since 2002, Securance has empowered enterprises to assume proactive security, compliance, and risk management strategies.

TuxCare

TuxCare

TuxCare make Linux more secure. We take care of Linux so that organizations can use Linux to support environments that require high levels of Cybersecurity, stability, and availability.