Research Analyst in Cyber Threats and Cyber Security at the Royal United Services Institute
25 Aug 2020
The COVID-19 pandemic has uprooted all our lives but what about implications for national cyber policy? In this guest blog, the Royal United Services Institute’s Rebecca Lucas examines its impact so far
Cyber security has always been a dynamic field, with new challenges and new threats never far away. Over the last year, our team at the Royal United Services Institute (RUSI) has been looking at questions raised by the global spread of technology innovation and production.
Long and complex supply chains run through an increasingly diverse group of contractors and subcontractors spread across the world. These groups are vulnerable to hacking, and it is difficult to verify the cyber security of the products they produce. However, large supply chains are part of doing business the modern world. But many people, including politicians, have not been paying particularly close attention to the growing number of security challenges they pose.
COVID-19 brought these challenges into sharp focus. Suddenly, the scramble to get medical equipment and other supplies drew lots of public attention. At the same time, geo-political tensions between the US and China ratcheted up as both countries responded to the pandemic. These tensions, manifested themselves most obviously in the recent round of sanctions on the telecommunications giant Huawei. It remains a pressing issue for the UK as domestic operators seek to build out their 5G networks.
As part of RUSI’s Globalisation of Technology project, we have argued for the benefits of cyber risk management. None of these technology systems, or the supply chains that produce them, are 100% secure, and yet much of society is dependent upon them. The question then becomes how to work with fundamentally insecure systems, and reaping the benefits of the global economy, while ensuring that the risks remain manageable. Answering this question requires recognising that every security decision involves a trade-off – focusing resources on one area might negatively impact security in another.
The first sector we looked at for the Globalisation of Technology project was telecommunications, particularly the challenges around 5G. We interviewed experts across industry, academia, and government about whether it is possible to create a secure system.
Part of this involved determining whether 5G was a complete revolutionary change or an evolution of existing technology. This then determines whether tried and true security measures could apply to 5G networks as well, or whether radical new security measures were necessary. Through our interviews, we found that 5G is an evolution of existing technologies – so fortunately, many current security approaches remain relevant.
And while it’s not a radical break from previous generations of telecoms equipment, 5G does pose some new or newly-acute risks.
The first is the expanded attack surface, particularly related to its connection to the Internet of Things. Second, the complexity of supply chains producing 5G components has significantly increased the number of attack vectors. This makes the equipment extremely vulnerable to either malicious actors or human error. Finally, the 5G space is dominated by a small number of vendors. In the UK, for example, components for the Radio Access Network are currently produced by just three companies: Huawei, Nokia, and Ericsson. The lack of vendor diversity raises concerns about how to create networks with redundancy and diversity, as well as concerns about competition in the event one vendor is excluded.
National decisions about whether to include ‘high-risk vendors’ in their 5G networks have dominated the media landscape over much of the last year. In addition, while many people have tried to recommend one-size-fits-all solutions, our research indicated that the problem is much more complicated.
An individual country’s specific circumstances, including its risk appetite, its experience and resources, and the threats it faces, change what solutions are appropriate. For the UK, we looked at the small number of vendors available, the country's experience and resources it could leverage in this area, and the other threats the UK might face.
Despite the importance of national context in decision making, there are measures that all countries can and should be taking to protect their telecommunications infrastructure.
Our research identified five such measures, including: constructing networks to be resilient and be able to avoid single points of failure; managing operators’ access to the network for patching and maintenance; testing and monitoring of network behaviour, as well as individual components; strong cyber security standards and basic cyber hygiene; and, if necessary, restricting some vendors from providing equipment to the network.
While the last measure and the question of Huawei have been the focus of much of the debate around 5G, it is only one of several measures that countries need to be considering in order to ensure a comprehensive and thorough approach to 5G network security.
Securing supply chains
We’ve also been looking at other areas of what the UK considers critical national infrastructure, including the energy, healthcare, and defence sectors. To take Defence as an example, both the UK's MoD and the US's DoD are currently in the process of putting in place new cyber security guidelines and restrictions, a process that has been complicated by COVID-19. Both noticed the importance of focusing on cyber security throughout their long supply chains, not only for the prime contractors, but also for the small and medium enterprises that provide critical support.
The supply chain disruptions caused by COVID-19 have raised serious questions about how and whether countries have safeguarded supply chains for such infrastructure. While the question became particularly pointed for healthcare technology as a result of the pandemic, such concerns apply across a range of sectors.
The cyber security concerns around both the supply chains themselves, as well as the resulting items, affect everyone from critical national infrastructure to small businesses. Governments should use the new attention such issues have drawn to examine the extent to which they can and should secure supply chain security and cyber security. They should include in this consideration the realisation that in this interconnected world, supply chain disruptions are a fact of life that is often outside their control. Resilience and adaptability are therefore key characteristics that are critical for supply chains.
As we adjust to the seemingly long-term nature of COVID-19, it seems safe to say that these challenges – as well as those yet to emerge – will continue to evolve over the coming months.
About the author
Rebecca Lucas is a Research Analyst in Cyber Threats and Cyber Security at the Royal United Services Institute
The Cyber Threat: before, during and after lockdown. No sector of society has proved immune to the spiralling effect of Covid-19 – and that includes cyber security. With the kaleidoscope shaken and pieces still in flux, Adrian Nish examines its impact so far
Transformation in the Time of Corona. The Coronavirus has turned our lives upside down but that’s not all, says Mivy James. It’s also highlighted the plight of the digitally excluded, as well the systemic changes which should be made permanent, not temporary
Stepping up on Cyber Defence. Christine Maxwell is a woman on a mission – a cyber mission. She tells Mivy James about overseeing the ever evolving challenge of Cyber Defence and Risk at the UK’s Ministry of Defence