UK committed to working with EU cyber security partners

The UK is committed to working with cyber security partners in Europe after Brexit, according to Ciaran Martin, CEO of the UK’s National Cyber Security Centre (NCSC).

“Whatever form the future relationship between the UK and the European Union [EU] takes beyond 29 March this year, the prime minister and her cabinet have long made clear that our support to European security as a whole is unconditional,” Martin told cyber security experts from the EU and Nato, international organisations and the global IT industry at the CyberSec Brussels Leaders’ Foresight 2019 event organised by the Kosciuszko Institute.

Within the cyber security sphere, Martin said it was “objectively true” that nearly all the functions of the NCSC fall outside the scope of EU competence. “It follows that our enhanced cooperation with European partners, and the EU as a whole, in cyber security over recent years is not automatically affected by the UK’s changing relationship with the EU,” he said.

“Pretty much everything we do now to help European partners, and what you do to help us, on cyber security can, should, and I am confident will, continue beyond 29 March.”

In the past, said Martin, the UK has shared classified and other threat data with EU member states and institutions and played a role in the development of European thinking in areas such as standards and incident response.

“As the next phase of the UK’s relationship with the rest of Europe takes shape, we will want to take these partnerships further and to develop new ones,” he said.

Continuing the conference’s theme of cooperation, Martin said that whatever final form the UK’s relationship with the EU takes, the UK and the EU need to be at the forefront of global efforts to build a free and safer internet in the light of US and Chinese domination of technological development.

In particular, he said, all European nations will need to act with others outside the continent to deal with structural challenges to the future of internet security in telecommunications infrastructure and the wider internet environment.

The challenge in telecoms infrastructure lies in finding ways to ensure the security of 5G networks, said Martin.

“Pretty much everything we do now to help European partners, and what they do to help us, on cyber security can, should, and I am confident will, continue beyond 29 March”

Like many countries, the UK is looking at the “right policy approach” to 5G security and the government’s report on that is due to be released in March, he said.

In recent months, multiple countries, including prominent UK allies and members of the so-called Five Eyes group (Australia, Canada, New Zealand, the UK and the US), have taken action to strip back Huawei’s exposure to critical national infrastructure, or ban the company’s networking kit.

“Contrary to some reporting, no decisions have been taken,” said Martin, referring to a report in the Financial Times that said the NCSC believes it is possible to mitigate the risks associated with using hardware made by Chinese networking equipment and services supplier Huawei, citing sources said to be familiar with the conclusions of the government report on 5G security.

“As its public terms of reference make clear, it is a holistic review, taking account of economic, security, quality of service and other factors,” said Martin. “It is considering a full range of policy options. Everything is on the table.”

He said the NCSC’s role is to offer “expert, objective and technologically literate” input into the security considerations around 5G in line with the organisation’s wider mission to bring “objective rigour” to complex technical issues.

Setting telecoms security in the context of the threat picture, Martin said that in the past two years, the UK government has attributed state-sponsored malicious cyber activity against the UK to Russia, China, North Korea and Iran, adding that there is also a serious and sustained threat from organised cyber crime.

“The supply chain, and where suppliers are from, is one issue, but it is not the only issue,” he said. “Last year, the NCSC publicly attributed some attacks on UK networks, including telecoms networks, to Russia. As far as we know, those networks didn’t have any Russian kit in them, anywhere. The techniques the Russians used to target those networks were looking for weaknesses in how they were architected and how they were run.

“So we are not naïve – far from it,” said Martin in response to a report from the Royal United Services Institute (Rusi), a defence and security think tank, which said it was naïve at best and irresponsible at worst to make the assumption that China will not try to leverage Huawei’s participation in critical national infrastructure (CNI) projects, such as 5G mobile network roll-out, in some way.

“In the 1,200 or so significant cyber security incidents the NCSC has managed since we were set up, the country of origin of suppliers has not featured among the main causes for concern in how these attacks are carried out,” he said.

“That is one example of our objective, evidence-based analysis of the threat. We take a similar objective, evidence-based approach to the technical security requirements for 5G. Taking threat and requirements together, this leads us to conclude that there are three technical pre-conditions for secure 5G networks.”

“It essentially doesn’t matter whether vulnerabilities are deliberate or the result of honest mistakes. What matters is that those vulnerabilities can and will be exploited”

First, said Martin, there need to be higher standards of cyber security across the entire telecommunications sector. 

“The biggest threat to our cyber security is weak cyber security,” he said. “Practices must be improved. That is the real lesson of the 1,200 cyber security incidents. The market does not currently incentivise good cyber security. That has to change.”

Second, telecoms networks must be more resilient, he said.

“From the point of view of managing corporate risk or, in our case, national risk, it essentially doesn’t matter whether the vulnerabilities are deliberate or the result of honest mistakes. What matters is that those vulnerabilities can and will be exploited,” said Martin.

“But the networks can and should be designed in a way that will cauterise the damage. That is what we need to do. Put it another way – if you’ve built a telecommunications network in a way that the compromise of one supplier can cause catastrophic national harm, then you’ve built it the wrong way. Resilience is key.”

Third, he said, there must be sustainable diversity in the supplier market.

“Should the supplier market consolidate to such an extent that there are only a tiny number of viable options, that will not make for good cyber security, whether those options are Western, Chinese or from anywhere else,” said Martin. “Any company in an excessively dominant market position will not be incentivised to take cyber security seriously. And, at the same time, that company could also become the prime target for attack for the globe’s most potent cyber attackers.”

These pre-conditions are technical and generic, he said. “They are about the technology and the architecture and the structure of our networks. They are about creating the necessary conditions for a safe 5G network.”

“Our regime is arguably the toughest and most rigorous oversight regime in the world for Huawei”

Noting that the UK’s telecoms infrastructure is highly internationalised, Martin said there is already a framework in place for managing risk, based on an objective understanding of how telecoms networks work.

“As our guidance to operators shows, we assume that every bit of kit in any network can fail,” he said. “And so, what is vital is that the failure of individual bits of kit, either because of a malfunction or because of an attack, will not cause catastrophic harm.”

One well-known specific aspect of the UK’s current mitigation framework is how Huawei’s presence in UK networks is managed, said Martin.

He pointed out that Huawei’s presence is subject to detailed, formal oversight, led by the NCSC. “Because of our 15 years of dealings with the company and 10 years of a formally agreed mitigation strategy which involves detailed provision of information, we have a wealth of understanding of the company,” he said.

There are also strict controls for how Huawei is deployed, he added. “It is not in any sensitive networks – including those of the government. Its kit is part of a balanced supply chain with other suppliers,” he said.

“Our regime is arguably the toughest and most rigorous oversight regime in the world for Huawei. 

“And it is proving its worth. Last July, our annual Oversight Board downgraded the assurance we could provide to the UK government on mitigating the risks associated with Huawei because of serious problems with their security and engineering processes.

“As we said then, and repeat today, these problems are about the standard of cyber security; they are not indicators of hostile activity by China. The company has accepted these findings and has pledged to address them, acknowledging that this will be a process of some years.”

Martin added: “We will monitor and report on progress and we will not declare the problems are on the path to being solved unless and until there is clear evidence that this is the case. We will not compromise on the improvements we need to see from Huawei. And, based on our hard-headed assessment of risk and our detailed knowledge of how networks work, we are putting in place our own plans for helping our operators to manage these risks.”

Working with partners in central government, the regulators and elsewhere, Martin said it is the NCSC’s job to make sure the “UK can prosper securely in these complex market conditions through a hard-headed, technically informed assessment of the risk”.

He added: “That will enable government to weigh up those vital decisions on things like suppliers from different countries. 5G is about much more than just cyber security. Our job is to make sure that the government can be confident that behind whatever decision it takes, there will be a technical framework that works and a competent national technical authority that knows what it is doing.”

Whatever decisions are taken, said Martin, they will need to ensure that the three essential pre-conditions for cyber security can be met – stronger standards, more resilience and supplier diversity.

“5G security is not a simple, binary choice,” he said. “It is about complex technical functions, a complex global threat environment, and a complex global market. One thing is clear – the way that market works has to change. Security must be a bigger consideration in market decisions in the future than it has been to date. We will help to fix that.”

In terms of the structural challenges to the future of internet security in the wider internet environment, Martin said the push to improve standards in cyber security should be a global effort.

“The internet was not built with security in mind,” he said. “That is no one’s fault. It wasn’t malicious – it’s just the way it happened. A model evolved over time where the price of entry for online services became the provision of personal data.”

The limitations of that model are becoming more apparent as time passes, said Martin, and have created structural security problems in the way the internet works.

He said the NCSC focuses on the technical solutions that the market has not provided with the aim of making the internet automatically safer for people to use.

“It’s not fair on busy individuals with complicated, rushed lives and other priorities if we expect them to make judgements every day about how trustworthy one of the hundreds or thousands of bits of communication they get every day are,” he said.

“Our cyber defence programme aims to provide a framework to take away most of the harm from most of the people most of the time”

“That is what is behind our active, or automated, cyber defence programme. Its aim is to provide a framework to take away most of the harm from most of the people most of the time.”

As part of the Active Cyber Defence progamme, the NCSC has developed a system to use its threat data to block connections to malicious sites from government networks, said Martin.

“We are now protecting 1.3 million government internet users. In 2018, we blocked 11,000 unique malicious domains every month. In the course of the year, we blocked 54 million malicious connections.”

The NCSC has also developed an anti-spoofing mechanism to protect government brands, which in its first year helped HM Revenue & Customs to block half a billion attempts to spoof it, and developed a system for automatically taking down known phishing sites, which used to be up for a day, on average, but that has been reduced to about an hour, while the UK’s share of global phishing has fallen from 5.3% to 2.2% in the past two and a half years.

“Think of the potential if we can amplify these sorts of improvements internationally,” said Martin. “None of them has required legislation, and none has been particularly contentious. They are technical improvements – targeted government interventions where commercial solutions can’t work.

“They are low classification – we publish details for most of them. I cannot think of an area more ripe for international cooperation.”

Martin concluded: “So whether it’s future telecommunications infrastructure, or digital security more generally, we want to work with everyone across Europe and beyond to push these changes, to deliver the digital world we all want to see, one that is not just free and prosperous, but safer as well.”