Europe’s security vision undermined by lack of compulsory requirements

For the most part, companies have to be forced to take security seriously, but perhaps these changes are on the horizon in Europe at least.

Cybersecurity is always a topic of conversation which is never too far away, though you have to question the substance behind the statements. Security and privacy are always top priorities for a company if you listen to the CEO, though the fact that security breaches still persist undermines these bold claims.

To be fair to the companies involved, this is a fast-paced and ever evolving aspect of the technology landscape. Is there such thing as 100% secure? No. Can the companies do more to protect their customers? Yes.

This is where the European Commission plays a critical role in developments. Speaking at Broadband World Forum in Amsterdam, Julie Ruff. Directorate for Digital Society, Trust & Cybersecurity, outlined the challenges, as well as the ways and means to combat these threats, and the telcos will be central to these efforts.

“First of all, they are obvious targets for cyber-attacks [the networks], very attractive targets,” said Ruff.

“The networks can be used as vectors for attack.”

The network is the lynchpin for tomorrow’s economy, the backbone of the virtual world. It’s the digital superhighway which connects anything, everything and everyone. The networks owners need to lead from the front, but they are not the only character in this nefarious saga.

As part of the latest iteration of the Cyber Act, the European Commission has introduced a certification framework for ICT digital products, services and processes. This framework will provide a comprehensive set of rules, technical requirements, standards and procedures to ensure consumers and businesses are protected from the dangers lurking in the dark corners of the world wide web.

This is all well and good, but here is the major problem; the certification process is currently voluntary.

At the largest companies, resources can be redirected towards such initiatives to ensure the demands and nuances of the framework are being adequately met. However, this is not going to be the biggest problem the digital economy will face. The start-ups and SMEs, those who can easily find other means to spend valuable and limited funds, will not voluntarily direct investment towards cost-centres and away from profit-builders.

However, with more risks being realised further afield in the ecosystem, a comprehensive approach to security is needed everywhere and anywhere. As Ruff pointed out during her presentation, the interconnected nature of the digital economy means that cybercriminals can infiltrate networks through weak points in the chain.

This is where the European Commission needs to move forward to ensure the certification framework is compulsory not voluntary. It might come as a financial burden to the start-ups, but it is the only way to most effectively mitigate risk. The investments being made by multi-nationals and telcos could be completely undermined by a rogue device connected to the network.

For the digital economy to be anywhere near ‘safe’, connected devices, whatever they may be, need to be secure out of the box and providers need to ensure timely and regular security updates. Unfortunately, this perfect scenario can only be achieved through effective regulation and a compulsory certification framework.

A good vision has been outlined by the European Commission, but this needs to be backed-up by effective and compulsory regulation.

US security concerns rubbished by industry and academic feedback

If you thought the UK’s Supply Chain Review was coming to an end, think again as policy makers have been given more food for thought as part of the 5G infrastructure and national security inquiry.

Entitled ‘Ensuring access to ‘safe’ technology’, Parliament’s Joint Committee on the National Security Strategy has opened itself up to public comment. Although it comes as little surprise, the feedback is relatively consistent; let the industry work with Huawei and take a risk-based approach to managing infrastructure and networks.

For those looking across the Atlantic, there might be some hurt feelings. Business and academics from across the UK have largely panned concerns, albeit in very polite wording, suggesting that while there are security standards and regulations to ponder, the US rhetoric is largely not supported by evidence and undermined by its own actions.

Submitted to the inquiry mid-way through last week, the team at Oxford Information Labs makes a very valid point regarding Huawei’s entry onto the Entity List:

“The ban was immediately suspended for 90 days, and that suspension was continued for a further 90 days in August 2019, casting doubt on whether Huawei really did represent an immediate ‘national emergency’ as originally claimed.”

Many might have contemplated this opinion, but few have vocalised it. If Huawei is such a threat to US citizens and business, why has the US Government so easily allowed it to continue to do business within its borders? If the White House propaganda is to be believed, Huawei should be erased from the Land of the Free, though the US Government has continued to validate its presence through the two exemption periods.

There is of course the damage to US businesses to take into account but suspending the enforcement of the ban does undermine the insistence that Huawei is the tip of the Chinese sword.

Another point to consider, which is constantly overlooked, is the depth of evidence to support the wild claims of the White House.

“The US Congress has a long history of making accusations against Huawei, though it has never produced any technical evidence to show that it has undermined the security of its network equipment or that it has impaired the performance of or shutdown networks using its equipment,” said Ewan Sutherland, a telecommunications policy expert from the University of the Witwatersrand.

From a personal perspective, your correspondent feels this is an element of the saga which should be taken very seriously. Due to market consolidation and the intensive R&D demands of 5G, there are already few suppliers for the telcos to consider. If one or two of the major players are to be removed from the supply chain, this is a significant decision to make. Evidence should be at the heart of these actions.

This is an element of the debate which everyone should take into account. Huawei has no material presence in US networks, aside from working with a small number of regionalised players. The US does not have to take an evidence-based approach to banning Huawei, as there is little consequence. Other nations, who have existing relationships with Huawei, must take a much more contemplative approach as there are much more serious implications.

The call for Huawei to be managed as opposed to banned is one which has echoed out of the offices for some time. Vodafone has consistently called for a risk-based approach to procurement, while Three in its evidence to the inquiry has demanded the delay to deployment be minimised. This would appear to be the rational approach, though the UK Government does seem hard-pressed to support it.

This is where the telecommunications industry has backed itself into a corner. In the pursuit of a more cost-efficient supply chain, consolidation has been rife. Alcatel, Lucent, Motorola and Nortel were all victims of the consolidation trends, streamlining the number of suppliers who can offer services to the telcos at scale. Telcos now have to look at Chinese vendors to ensure there is competition.

In an ideal world, the UK or US Government might be able to point to a domestic supplier and suggest more products and services are sourced there. This would allow the Government to have more of a handle on development requirements, and despite the suggestion of a new player emerging, this is unlikely to have any material impact on 5G.

“Perhaps, the United States will push or support the creation of a new manufacturer of RAN, though it would need to be for 6G or 7G, rather than 5G,” said Sutherland.

The likes of Huawei, ZTE, Ericsson and Nokia have been investing in 5G R&D for close to a decade and have already begun 6G investigations. What chance would a new, standalone player have in penetrating this market within the next 10-15 years?

Looking through all the submissions, there seems to be a consensus. There are only three network vendors who can realistically support rapid 5G network deployment at scale, and Huawei happens to be one of them.

Regulators do need to have a much more considered approach to acquisition and mergers in the future, if not for any other reason as to avoid the bureaucratic congestion which we are seeing through this entire Supply Chain Review process.

Another interesting takeaway from the evidence which has been presented, is the desire to remain closely aligned with Europe following Brexit. This should not be considered new either, though perhaps this could build a bridge to repair the damage done by posturing politicians during the Brexit negotiations. Let’s not forget, Europe is the UK’s largest trading partner, and this will not change any time soon; relationships will have to be re-forged following the divorce.

Last week, the European Commission collated all responses from member states into a white paper which said very little which was not already known. 5G presents more of a security threat than generations prior, while state-sponsored attacks are becoming more of a risk. While this might have been seen as busywork, it was a necessary step in the bureaucratic maze to getting something done.

Over the coming months, member states will submit more evidence and recommendations to create what could become a pan-European approach to mitigating risk and rolling out 5G networks. What the submissions are suggesting to the UK Government is that any future proposals on the Isles align as closely as possible to what our European cousins are suggesting. Not only does this provide international consistency, it is a sign of good faith for future trade and political relationships.

Although this is not the end to the protracted evaluation of Huawei and the role of Chinese vendors in the UK network infrastructure segment, it does paint a very strong case for inclusion.

Europe has proven to be a key battle ground in the increasingly fraught conflict between the US and China, and few companies are more exposed to the risk as Huawei. This is a vendor which captures billions in profit in its domestic market, as well as across Asia, though Europe contains a significant number of very prominent customers. However, the trends do seem to be heading the right direction.

Germany has recently said it would not legislate Huawei out of the country, Italy signed a Belt and Road Initiative deal with China in March 2019, Belgium has conducted its own review without consequence to the vendor, while France and the Czech Republic have given warnings but not definitive action. While it is still anyone’s best guess, the UK looks like it is heading towards a risk-based position, potentially enforcing a multi-vendor approach to procurement.

Of course, while logic and behaviour suggest this is the most likely outcome, there is a lot which can go wrong. The UK will have to balance up the impact on existing and potential relationships, especially its standing in the valuable Five Eyes intelligence community.

At some point in the future, the Government is going to have to make a decision. The prolonged review of the supply chain does not sit beside political ambitions for a rapid rollout of 5G or the accelerated timeline for a full-fibre nation. The longer this review takes, the less likely it is the UK will be a major player in the digital economy.

UK Gov launches Round Three of cyber security skills initiative

The Department of Digital, Culture, Media and Sport (DCMS) has launched a new campaign to attract a broader array of talent into the work of cyber security.

This is the third-round of funding for the Cyber Skills Immediate Impact Fund (CSIIF), with training providers able to access up-to £100,000 of government funding to work with employers and design training programmes which retrain a diverse range of individuals for a career in cyber security.

“This latest round of funding demonstrates our commitment to make sure the UK’s cyber security industry has a skilled and diverse workforce and, through our new Cyber Security Council, there are clear paths for those wishing to join the profession,” said Cyber Security Minister Nigel Adams.

“It’s fundamental that cyber security is seen as a nationally recognised and established profession with clear career pathways,” said Simon Edwards, IET Director of Governance and External Engagement.

“With cyber skills shortages already emerging at every level, we are committed to working with the Government and the National Cyber Security Centre on delivering the rapid, yet capable development of specialist cyber skills to meet the growing needs of the industry, manage risk and secure the next generation of talent.”

Alongside this funding, the Institution of Engineering and Technology (IET) has been selected to help design and deliver new UK Cyber Security Council to coordinate the existing professional landscape. The aim will be to create an accessible career path, which is appealing to those entering the workforce.

This is the challenge which the UK is facing; a shortage of skilled workers to address specialised tasks which are emerging in the digital economy. While cyber security might not be a new concept, though as it is one which has been ignored by industry for years, this under-preparedness has been passed onto the workforce.

Recent research from DCMS suggest 54% of businesses in the UK have a basic technical cyber security skills gap. The biggest areas seem to be forensic analysis, penetration testing, security architecture and using threat analysis insight.

Interestingly enough, while this is a promising initiative to retrain workers and provide a boost to the workforce, some of the building blocks are still missing; the UK education system and the national curriculum is still to focused on traditional and classical topics, and not on skills and vocations which will create the workforce of tomorrow which is needed today.

Take coding as an example. There are schools where ICT, where coding is an element, is a compulsory topic at GCSE, but these are not the majority. The workplace of the future is going to be increasingly digital, and if the UK Government envisions a continued shortage of competent digital employees, surely reforming the curriculum would be a good step-forward. Perhaps these subjects which drive potential employees towards data science, software engineering and cybersecurity, should be make compulsory by default.

This is a positive step-forward, though retraining schemes like this are reactive. A long-term, sustainable solution to the skills shortage would be to address the challenge at the root.

Guide to Superior Cyber Security

Best practices and tips for protecting your business! 

Cyber security is simple enough on paper– maintain the integrity of your systems while keeping the attackers at bay. Things get much more complicated once you get down to practice, however. Limited budgets, lack of skilled personnel and low awareness on various security topics can all serve as barriers to achieving protection against modern cyber attacks.

One of the most pressing issues relates to visibility and clarity. Where are we currently with our security? What are we missing? Although most IT and security professionals are aware of the technologies and best practices in their field, it’s easy to lose sight of what’s important when you’re dealing with constantly changing digital environments and rapidly evolving external threats.

That’s why we’re here. If you need some tips – or want to refresh your memory – about how to get the essentials of cyber security right, this guide is for you. We go through the basic building blocks of a solid cyber security protocol, from risk assessment and endpoint protection to threat detection. Check how you’re doing – and start improving today!

 

Kaspersky Labs unearths yet another state-linked malware

Cyber security specialists Kaspersky Labs has claimed to have discovered what it described as a highly-sophisticated cyberespionage campaign called Slingshot, which could have been active for six years.

Clues in the text suggest the code was developed by English-speaking programmers, with the most likely source being a government intelligence agency. The team at Kaspersky believes activity started in at least 2012, and was active at the time of analysis in February six years later. The weak point of the perimeter has been traced back to Mikrotik routers and WinBox managing software, though it should be noted the cases thus far are the only ones which have been identified. Vulnerabilities could be in other bits of kit as well.

“The malicious samples investigated by the researchers were marked as ‘version 6.x’, which suggests the threat has existed for a considerable length of time,” the team said in a blog post.

“The development time, skill and cost involved in creating Slingshot’s complex toolset is likely to have been extremely high. Taken together, these clues suggest that the group behind Slingshot is likely to be highly organized and professional and probably state-sponsored.”

Perhaps one of the most interesting aspects of this malware is its ability to go undetected. Slingshot uses its own encrypted file system in an unused part of a hard drive, while it can also even shut down its components when it detects signs that might indicate forensic research. There are several little tricks the actors can use to avoid detection, which makes the malware particularly dangerous and tough to spot.

The attack itself starts with compromised routers made by MikroTik when downloading DLL files in the normal course of business. The actors figured out a way to add a malicious DLL to an otherwise legitimate package of other DLLs, which acted as a downloader for various malicious files which were stored in the router. MikroTik has been informed and fixed the issue, but Kaspersky believes this is not the only brand which was used during the campaign.

Kaspersky

“Slingshot is very complex and the developers behind it have clearly spent a great deal of time and money on its creation,” said Kaspersky. “Its infection vector is remarkable – and, to the best of our knowledge, unique. We believe that most of the victims we observed appeared to have been initially infected through a Windows exploit or compromised Mikrotik routers.”

Two areas which Kaspersky believes to be particularly advanced are a kernel mode module called Cahnadr and GollumApp, a user mode module. Cahnadr runs in kernel mode giving attackers limitless control over the infected computer. It can also execute code without causing a blue screen (crashing the system) on the infected machine, which is highly unusual for malware. The second module, GollumApp, is even more sophisticated, containing nearly 1,500 user-code functions. Slingshot can collect screenshots, keyboard data, network data, passwords, other desktop activity, the clipboard, and a lot more.

The main purpose of this malware does seem to be counter-espionage, Kaspersky notes patterns consistent with other such examples, but because it operates in kernel there are no limitations to the information it can collect. Credit card numbers, password hashes and identification codes (such as social security numbers), are just a few examples, but it is essentially any dataset.

To date, Kaspersky has noted around 100 victims of Slingshot located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. Interestingly enough, the vast majority of these instances are individuals not organizations or governments (though there are a few examples of the latter two).

Considering how advanced this malware is and it has been able to go undetected for six years, you have to wonder what else is hidden in the shadowy corners of the web. Hacking techniques and nefarious individuals have certainly advanced over this period, which is slightly concerning.

Kaspersky Map