UK And EU Will Connect With Cybersecurity After Brexit

Uploaded on 2019-03-01 in GOVERNMENT-National, FREE TO VIEW

The UK is committed to working with cyber security partners in Europe after Brexit, according to Ciaran Martin, CEO of the UK’s National Cyber Security Centre (pictured).

“Whatever form the future relationship between the UK and the European Union  takes beyond 29 March this year, the prime minister and her cabinet have long made clear that our support to European security as a whole is unconditional,”

Martin told cyber security experts from the EU and Nato, international organisations and the global IT industry at the CyberSec Brussels Leaders’ Foresight 2019 event organised by the Kosciuszko Institute. Within the cyber security sphere, Martin said it was “objectively true” that nearly all the functions of the NCSC fall outside the scope of EU competence.

“It follows that our enhanced cooperation with European partners, and the EU as a whole, in cyber security over recent years is not automatically affected by the UK’s changing relationship with the EU,” he said.

“Pretty much everything we do now to help European partners, and what you do to help us, on cyber security can, should, and I am confident will, continue beyond 29 March.”

In the past, said Martin, the UK has shared classified and other threat data with EU member states and institutions and played a role in the development of European thinking in areas such as standards and incident response.

“As the next phase of the UK’s relationship with the rest of Europe takes shape, we will want to take these partnerships further and to develop new ones,” he said.

Continuing the conference’s theme of cooperation, Martin said that whatever final form the UK’s relationship with the EU takes, the UK and the EU need to be at the forefront of global efforts to build a free and safer internet in the light of US and Chinese domination of technological development.

In particular, he said, all European nations will need to act with others outside the continent to deal with structural challenges to the future of internet security in telecommunications infrastructure and the wider internet environment. The challenge in telecoms infrastructure lies in finding ways to ensure the security of 5G networks, said Martin.

Like many countries, the UK is looking at the “right policy approach” to 5G security and the government’s report on that is due to be released in March, he said.

In recent months, multiple countries, including prominent UK allies and members of the so-called Five Eyes group (Australia, Canada, New Zealand, the UK and the US), have taken action to strip back Huawei’s exposure to critical national infrastructure, or ban the company’s networking kit.

“Contrary to some reporting, no decisions have been taken,” said Martin, referring to a report in the Financial Times that said the NCSC believes it is possible to mitigate the risks associated with using hardware made by Chinese networking equipment and services supplier Huawei, citing sources said to be familiar with the conclusions of the government report on 5G security.

“As its public terms of reference make clear, it is a holistic review, taking account of economic, security, quality of service and other factors,” said Martin. “It is considering a full range of policy options. Everything is on the table.”

He said the NCSC’s role is to offer “expert, objective and technologically literate” input into the security considerations around 5G in line with the organisation’s wider mission to bring “objective rigour” to complex technical issues.

Setting telecoms security in the context of the threat picture, Martin said that in the past two years, the UK government has attributed state-sponsored malicious cyber activity against the UK to Russia, China, North Korea and Iran, adding that there is also a serious and sustained threat from organised cyber-crime.

“The supply chain, and where suppliers are from, is one issue, but it is not the only issue,” he said. “Last year, the NCSC publicly attributed some attacks on UK networks, including telecoms networks, to Russia. As far as we know, those networks didn’t have any Russian kit in them, anywhere. The techniques the Russians used to target those networks were looking for weaknesses in how they were architected and how they were run.

“So we are not naïve – far from it,” said Martin in response to a report from the Royal United Services Institute (Rusi), a defence and security think tank, which said it was naïve at best and irresponsible at worst to make the assumption that China will not try to leverage Huawei’s participation in critical national infrastructure (CNI) projects, such as 5G mobile network roll-out, in some way.

“In the 1,200 or so significant cyber security incidents the NCSC has managed since we were set up, the country of origin of suppliers has not featured among the main causes for concern in how these attacks are carried out,” he said.
“That is one example of our objective, evidence-based analysis of the threat. We take a similar objective, evidence-based approach to the technical security requirements for 5G. Taking threat and requirements together, this leads us to conclude that there are three technical pre-conditions for secure 5G networks.”
First, said Martin, there need to be higher standards of cyber security across the entire telecommunications sector. 

“The biggest threat to our cyber security is weak cyber security,” he said. “Practices must be improved. That is the real lesson of the 1,200 cyber security incidents. The market does not currently incentivise good cyber security. That has to change.”
Second, telecoms networks must be more resilient, he said.

“From the point of view of managing corporate risk or, in our case, national risk, it essentially doesn’t matter whether the vulnerabilities are deliberate or the result of honest mistakes. What matters is that those vulnerabilities can and will be exploited,” said Martin.

“But the networks can and should be designed in a way that will cauterise the damage. That is what we need to do. Put it another way – if you’ve built a telecommunications network in a way that the compromise of one supplier can cause catastrophic national harm, then you’ve built it the wrong way. Resilience is key.”

Third, he said, there must be sustainable diversity in the supplier market.

“Should the supplier market consolidate to such an extent that there are only a tiny number of viable options, that will not make for good cyber security, whether those options are Western, Chinese or from anywhere else,” said Martin. “Any company in an excessively dominant market position will not be incentivised to take cyber security seriously. And, at the same time, that company could also become the prime target for attack for the globe’s most potent cyber attackers.”

These pre-conditions are technical and generic, he said. “They are about the technology and the architecture and the structure of our networks. They are about creating the necessary conditions for a safe 5G network.”

Noting that the UK’s telecoms infrastructure is highly internationalised, Martin said there is already a framework in place for managing risk, based on an objective understanding of how telecoms networks work.

“As our guidance to operators shows, we assume that every bit of kit in any network can fail,” he said. “And so, what is vital is that the failure of individual bits of kit, either because of a malfunction or because of an attack, will not cause catastrophic harm.”

One well-known specific aspect of the UK’s current mitigation framework is how Huawei’s presence in UK networks is managed, said Martin. He pointed out that Huawei’s presence is subject to detailed, formal oversight, led by the NCSC.

“Because of our 15 years of dealings with the company and 10 years of a formally agreed mitigation strategy which involves detailed provision of information, we have a wealth of understanding of the company,” he said.

There are also strict controls for how Huawei is deployed, he added. “It is not in any sensitive networks – including those of the government. Its kit is part of a balanced supply chain with other suppliers,” he said.

“Our regime is arguably the toughest and most rigorous oversight regime in the world for Huawei. 

“And it is proving its worth. Last July, our annual Oversight Board downgraded the assurance we could provide to the UK government on mitigating the risks associated with Huawei because of serious problems with their security and engineering processes.

“As we said then, and repeat today, these problems are about the standard of cyber security; they are not indicators of hostile activity by China. The company has accepted these findings and has pledged to address them, acknowledging that this will be a process of some years.”

Martin added: “We will monitor and report on progress and we will not declare the problems are on the path to being solved unless and until there is clear evidence that this is the case. We will not compromise on the improvements we need to see from Huawei. And, based on our hard-headed assessment of risk and our detailed knowledge of how networks work, we are putting in place our own plans for helping our operators to manage these risks.”

In terms of the structural challenges to the future of internet security in the wider internet environment, Martin said the push to improve standards in cyber security should be a global effort.

“The internet was not built with security in mind,” he said. “That is no one’s fault. It wasn’t malicious, it’s just the way it happened. A model evolved over time where the price of entry for online services became the provision of personal data.”
The limitations of that model are becoming more apparent as time passes, said Martin, and have created structural security problems in the way the internet works.

He said the NCSC focuses on the technical solutions that the market has not provided with the aim of making the internet automatically safer for people to use.

“It’s not fair on busy individuals with complicated, rushed lives and other priorities if we expect them to make judgements every day about how trustworthy one of the hundreds or thousands of bits of communication they get every day are,” he said.

“That is what is behind our active, or automated, cyber defence programme. Its aim is to provide a framework to take away most of the harm from most of the people most of the time.”

As part of the Active Cyber Defence programme, the NCSC has developed a system to use its threat data to block connections to malicious sites from government networks, said Martin.

“We are now protecting 1.3 million government internet users. In 2018, we blocked 11,000 unique malicious domains every month. In the course of the year, we blocked 54 million malicious connections.”

Martin concluded: “So whether it’s future telecommunications infrastructure, or digital security more generally, we want to work with everyone across Europe and beyond to push these changes, to deliver the digital world we all want to see, one that is not just free and prosperous, but safer as well.”

Computer Weekly

You Might Also Read:

No Brexit Deal? Then Its ‘Digital Dover’:

 

« Israel's Cyber-Hotline
No Easy Button Solution To Cybersecurity’s Skills Shortage »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Cyberwatch

Cyberwatch

Cyberwatch is a Vulnerability Scanner & Fixer software that helps you to detect and fix the vulnerabilities of your Information System.

Zanasi & Partners

Zanasi & Partners

Zanasi & Partners is a security research and advisory company active in the EU and MENA areas. Services focus on technology solutions.

Inky Technology Corp

Inky Technology Corp

Inky® Phish Fence is an email protection gateway that uses sophisticated AI, machine learning and computer vision algorithms to block deep sea phishing attacks that get through every other system.

Sysorex Government Services

Sysorex Government Services

Sysorex Government Services helps customers meet their strategic missions by providing secure, optimized IT solutions that allow them to perform more efficiently and effectively.

Sistem Integra (SISB)

Sistem Integra (SISB)

SISB provide IT Security Infrastructure & Development, Mechanical & Electrical Services, Fire Safety & Detection Services, Facilities Management & Application Development.

Digital Security

Digital Security

Digital Security is an Ecuadorian company specialized in providing comprehensive information security solutions.

Lightship Security

Lightship Security

Lightship Security is an accredited Common Criteria and FIPS 140-2 IT security testing laboratory that specializes in test conformance automation solutions and IT product security certifications.

IAmI Authentications

IAmI Authentications

IAmI is a first in Tokenization Cloud-based IAM Security Services, delivering the most advanced form of Two-Factor Authentication.

ECOLUX

ECOLUX

ECOLUX is a professional IoT security service company committed to developing world-leading “IoT Lifecycle Security” technologies and products.

HSB

HSB

HSB offers insurance for equipment breakdown, cyber risk, data breach, identity recovery & employment practices liability.

SecurIT360

SecurIT360

SecurIT360 is a full-service specialized Cyber Security and Compliance consulting firm.

Air IT

Air IT

Air IT are a responsive, client-focused and award-winning Managed Service Provider, helping clients achieve success and transformation through their IT and communications.

VLC Solutions

VLC Solutions

VLC Solutions is an independent solutions and technology service provider offering Cloud Services, Cybersecurity, ERP Services, Network Management Services, and Compliance Solutions.

Sekoia.io

Sekoia.io

Sekoia.io is a European cybersecurity company whose mission is to develop the best protection capabilities against cyber-attacks.

Exiger

Exiger

Exiger is revolutionizing the way corporations, government agencies and banks navigate risk and compliance in their third-parties, supply chains and customers.

Communications Fraud Control Association (CFCA)

Communications Fraud Control Association (CFCA)

CFCA is the premier International Association for fraud risk management, fraud prevention and profitability control.