While the debate on the 5G rollout has focused on Huawei, the work has been much wider and had to consider attacks and technical precision, according to the NCSC.
Presenting at Chatham House in London, NCSC CEO Ciaran Martin said that “there is a structural and sustained problem” in the way that telecommunications markets have worked in the past, which has not incentivized sufficiently good cybersecurity.
The most significant attack on UK telcos in recent years was suspected as being from Russia “and we don’t have any Russian owned or flagged kit in our telco networks,” said Martin.
Martin said that the opportunity of 5G needs to be taken to fundamentally change the way we do telecommunications security to bake in cybersecurity and resilience into our infrastructure. “So, there’s much more to 5G security than Huawei,” he said.
Martin also said that technical precision matters in getting 5G security right. While it is “an important innovation”, he said, it is not magic and doesn’t change the laws of science or immutable concepts of security, but is an extremely complicated set of engineering and technological capabilities and architectures.
He said: “Don’t get me wrong: there are some very real security risks in 5G that we have to get right. But given the complexity, it’s easy for the debate to slip into areas where some of the arguments just don’t technically stack up.”
He cited two examples: firstly the ability to safeguard classified information, including those of the UK’s closest foreign partners, but he said that “the way we do classified information protection has nothing to do with how we construct public 4G or 5G networks and completely outside the scope of the DCMS review.”
Martin said that classified information sharing between partners depends on mutually agreed, ultra-cautious and rigorously policed standards; "always has, always will. It just isn’t relevant to the discussion about public 5G network security.”
The other example referred to what risks are run from foreign vendors from hostile states, which he acknowledged is a “completely legitimate concern to analyze” but not one that should be analyzed in isolation.
He considered that if Huawei are part of a 5G access network that would allow the Chinese state to cause major disruption like turning out the lights - and there is no way of mitigating that - what that means is that networks are constructed in such a way that the compromise of an external supplier causes catastrophic damage which can’t be contained. He said that if such a case is true, then all of the following must also be true:
- The risk from accidental failure because of an operational mistake by a western vendor cannot be mitigated;
- The risk that a hostile state could insert and exploit malicious code covertly into a western vendor cannot be mitigated;
- The risk that a hostile state could place a human operative into a western vendor and exploit that access to cause the same disruption cannot be mitigated.
“In other words, if this sort of disruption is possible via Huawei, then it’s possible in all sorts of other ways too that should also be of grave concern,” he said. “And it means we’ve built the networks the wrong way. The technical job of the NCSC is to make sure they are built in the right way.”
In conclusion, Martin said that a decade since the first UK cybersecurity strategy, there is now a lot more clarity about what Government should be doing to promote cybersecurity and responsible behavior in cyber space.