UK And EU Will Connect With Cybersecurity After Brexit

The UK is committed to working with cyber security partners in Europe after Brexit, according to Ciaran Martin, CEO of the UK’s National Cyber Security Centre (pictured).

“Whatever form the future relationship between the UK and the European Union  takes beyond 29 March this year, the prime minister and her cabinet have long made clear that our support to European security as a whole is unconditional,”

Martin told cyber security experts from the EU and Nato, international organisations and the global IT industry at the CyberSec Brussels Leaders’ Foresight 2019 event organised by the Kosciuszko Institute. Within the cyber security sphere, Martin said it was “objectively true” that nearly all the functions of the NCSC fall outside the scope of EU competence.

“It follows that our enhanced cooperation with European partners, and the EU as a whole, in cyber security over recent years is not automatically affected by the UK’s changing relationship with the EU,” he said.

“Pretty much everything we do now to help European partners, and what you do to help us, on cyber security can, should, and I am confident will, continue beyond 29 March.”

In the past, said Martin, the UK has shared classified and other threat data with EU member states and institutions and played a role in the development of European thinking in areas such as standards and incident response.

“As the next phase of the UK’s relationship with the rest of Europe takes shape, we will want to take these partnerships further and to develop new ones,” he said.

Continuing the conference’s theme of cooperation, Martin said that whatever final form the UK’s relationship with the EU takes, the UK and the EU need to be at the forefront of global efforts to build a free and safer internet in the light of US and Chinese domination of technological development.

In particular, he said, all European nations will need to act with others outside the continent to deal with structural challenges to the future of internet security in telecommunications infrastructure and the wider internet environment. The challenge in telecoms infrastructure lies in finding ways to ensure the security of 5G networks, said Martin.

Like many countries, the UK is looking at the “right policy approach” to 5G security and the government’s report on that is due to be released in March, he said.

In recent months, multiple countries, including prominent UK allies and members of the so-called Five Eyes group (Australia, Canada, New Zealand, the UK and the US), have taken action to strip back Huawei’s exposure to critical national infrastructure, or ban the company’s networking kit.

“Contrary to some reporting, no decisions have been taken,” said Martin, referring to a report in the Financial Times that said the NCSC believes it is possible to mitigate the risks associated with using hardware made by Chinese networking equipment and services supplier Huawei, citing sources said to be familiar with the conclusions of the government report on 5G security.

“As its public terms of reference make clear, it is a holistic review, taking account of economic, security, quality of service and other factors,” said Martin. “It is considering a full range of policy options. Everything is on the table.”

He said the NCSC’s role is to offer “expert, objective and technologically literate” input into the security considerations around 5G in line with the organisation’s wider mission to bring “objective rigour” to complex technical issues.

Setting telecoms security in the context of the threat picture, Martin said that in the past two years, the UK government has attributed state-sponsored malicious cyber activity against the UK to Russia, China, North Korea and Iran, adding that there is also a serious and sustained threat from organised cyber-crime.

“The supply chain, and where suppliers are from, is one issue, but it is not the only issue,” he said. “Last year, the NCSC publicly attributed some attacks on UK networks, including telecoms networks, to Russia. As far as we know, those networks didn’t have any Russian kit in them, anywhere. The techniques the Russians used to target those networks were looking for weaknesses in how they were architected and how they were run.

“So we are not naïve – far from it,” said Martin in response to a report from the Royal United Services Institute (Rusi), a defence and security think tank, which said it was naïve at best and irresponsible at worst to make the assumption that China will not try to leverage Huawei’s participation in critical national infrastructure (CNI) projects, such as 5G mobile network roll-out, in some way.

“In the 1,200 or so significant cyber security incidents the NCSC has managed since we were set up, the country of origin of suppliers has not featured among the main causes for concern in how these attacks are carried out,” he said.
“That is one example of our objective, evidence-based analysis of the threat. We take a similar objective, evidence-based approach to the technical security requirements for 5G. Taking threat and requirements together, this leads us to conclude that there are three technical pre-conditions for secure 5G networks.”
First, said Martin, there need to be higher standards of cyber security across the entire telecommunications sector. 

“The biggest threat to our cyber security is weak cyber security,” he said. “Practices must be improved. That is the real lesson of the 1,200 cyber security incidents. The market does not currently incentivise good cyber security. That has to change.”
Second, telecoms networks must be more resilient, he said.

“From the point of view of managing corporate risk or, in our case, national risk, it essentially doesn’t matter whether the vulnerabilities are deliberate or the result of honest mistakes. What matters is that those vulnerabilities can and will be exploited,” said Martin.

“But the networks can and should be designed in a way that will cauterise the damage. That is what we need to do. Put it another way – if you’ve built a telecommunications network in a way that the compromise of one supplier can cause catastrophic national harm, then you’ve built it the wrong way. Resilience is key.”

Third, he said, there must be sustainable diversity in the supplier market.

“Should the supplier market consolidate to such an extent that there are only a tiny number of viable options, that will not make for good cyber security, whether those options are Western, Chinese or from anywhere else,” said Martin. “Any company in an excessively dominant market position will not be incentivised to take cyber security seriously. And, at the same time, that company could also become the prime target for attack for the globe’s most potent cyber attackers.”

These pre-conditions are technical and generic, he said. “They are about the technology and the architecture and the structure of our networks. They are about creating the necessary conditions for a safe 5G network.”

Noting that the UK’s telecoms infrastructure is highly internationalised, Martin said there is already a framework in place for managing risk, based on an objective understanding of how telecoms networks work.

“As our guidance to operators shows, we assume that every bit of kit in any network can fail,” he said. “And so, what is vital is that the failure of individual bits of kit, either because of a malfunction or because of an attack, will not cause catastrophic harm.”

One well-known specific aspect of the UK’s current mitigation framework is how Huawei’s presence in UK networks is managed, said Martin. He pointed out that Huawei’s presence is subject to detailed, formal oversight, led by the NCSC.

“Because of our 15 years of dealings with the company and 10 years of a formally agreed mitigation strategy which involves detailed provision of information, we have a wealth of understanding of the company,” he said.

There are also strict controls for how Huawei is deployed, he added. “It is not in any sensitive networks – including those of the government. Its kit is part of a balanced supply chain with other suppliers,” he said.

“Our regime is arguably the toughest and most rigorous oversight regime in the world for Huawei. 

“And it is proving its worth. Last July, our annual Oversight Board downgraded the assurance we could provide to the UK government on mitigating the risks associated with Huawei because of serious problems with their security and engineering processes.

“As we said then, and repeat today, these problems are about the standard of cyber security; they are not indicators of hostile activity by China. The company has accepted these findings and has pledged to address them, acknowledging that this will be a process of some years.”

Martin added: “We will monitor and report on progress and we will not declare the problems are on the path to being solved unless and until there is clear evidence that this is the case. We will not compromise on the improvements we need to see from Huawei. And, based on our hard-headed assessment of risk and our detailed knowledge of how networks work, we are putting in place our own plans for helping our operators to manage these risks.”

In terms of the structural challenges to the future of internet security in the wider internet environment, Martin said the push to improve standards in cyber security should be a global effort.

“The internet was not built with security in mind,” he said. “That is no one’s fault. It wasn’t malicious, it’s just the way it happened. A model evolved over time where the price of entry for online services became the provision of personal data.”
The limitations of that model are becoming more apparent as time passes, said Martin, and have created structural security problems in the way the internet works.

He said the NCSC focuses on the technical solutions that the market has not provided with the aim of making the internet automatically safer for people to use.

“It’s not fair on busy individuals with complicated, rushed lives and other priorities if we expect them to make judgements every day about how trustworthy one of the hundreds or thousands of bits of communication they get every day are,” he said.

“That is what is behind our active, or automated, cyber defence programme. Its aim is to provide a framework to take away most of the harm from most of the people most of the time.”

As part of the Active Cyber Defence programme, the NCSC has developed a system to use its threat data to block connections to malicious sites from government networks, said Martin.

“We are now protecting 1.3 million government internet users. In 2018, we blocked 11,000 unique malicious domains every month. In the course of the year, we blocked 54 million malicious connections.”

Martin concluded: “So whether it’s future telecommunications infrastructure, or digital security more generally, we want to work with everyone across Europe and beyond to push these changes, to deliver the digital world we all want to see, one that is not just free and prosperous, but safer as well.”

Computer Weekly

You Might Also Read:

No Brexit Deal? Then Its ‘Digital Dover’:

 

« Israel's Cyber-Hotline
No Easy Button Solution To Cybersecurity’s Skills Shortage »

Quartz Conference
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Smartbear

Smartbear

Smartbear offers powerful, affordable and easy to use code review, automated testing, performance testing and post deployment monitoring tools.

LogPoint

LogPoint

LogPoint offers a full enterprise SIEM (Security Information & Event Management) solution to defend against cybercrime and fraud.

Quantum

Quantum

Quantum provide a unique combination of specialized storage solutions including virtual and physical server data protection, cloud backup and recovery

CIRCL

CIRCL

CIRCL is the national Computer Incident Response Center of Luxembourg

APWG

APWG

APWG is the international coalition unifying the global response to cybercrime across industry, government, law-enforcement and NGO communities.

Mondo

Mondo

Mondo is the largest national staffing agency specializing exclusively in high-end, niche IT, Tech, and Digital Marketing talent. Areas of expertise include Cybersecurity.

Cipher Tooth

Cipher Tooth

CipherTooth is a superior system for delivering secure content over the Internet.

V-Key

V-Key

V-Key is a global leader in software based digital security, providing solutions for mobile identity, authentication, authorization, and mobile payments for major banks.

Bounga Informatics

Bounga Informatics

Bounga Informatics provides Digital Forensics, E-Discovery, and Endpoint Security software, hardware, and training in Singapore and other countries in Asia Pacific.

Horangi

Horangi

Horangi provides security products and services that enable the rapid delivery of Incident Response and threat detection for our customers who lack the scale, expertise, or time to do it themselves.

4Stop

4Stop

4Stop is a global KYC, compliance and anti-fraud risk management company.

Industrial Internet Consortium (IIC)

Industrial Internet Consortium (IIC)

The Industrial Internet Consortium is the world's leading organization transforming business and society by accelerating the Industrial Internet of Things (IIoT).

ITRenew

ITRenew

ITRenew is a leading global IT lifecycle management solutions company, specializing in onsite data center decommissioning and data erasure services.

Point Predictive

Point Predictive

Point Predictive build Predictive Models using Artificial Intelligence and Machine Learning techniques that help our customers stop fraud and early payment default (EPD).

Quantifind

Quantifind

Quantifind enables financial crimes/fraud analysts and investigators to make better decisions, faster, with intelligent automation.

Rayzone Group

Rayzone Group

Rayzone Group offers a wide range of Cyber Security solutions and services, providing hollistic protection suitable for both enterprises and National cyber security centers.