UK questions Huawei security credibility

The oversight board responsible for mitigating the risk associated with Huawei products has released a new report which questions whether using equipment from the vendor is the best idea.

The Huawei Cyber Security Evaluation Centre (HCSEC) has released its annual audit which effectively gives a temperature reading on the appropriateness of Huawei kit for UK infrastructure. In the past it has brought up issues with the equipment, though Huawei has always been pretty sharp and compliant when addressing any concerns.

However, the HCSEC is now stating Huawei has not addressing underlying issues which were raised during the last report, and therefore Huawei’s role in the future communications infrastructure of the UK should be questioned. It has stopped short of calling for a ban on the equipment, but unless Huawei addresses the concerns very quickly, the recommendations will become a lot sterner.

“At present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects,” the report states.

“The Board will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC.”

Last years reports brought forward several software issues, though it was brought firmly to Huawei’s attention. This years’ report demonstrates frustration from the HCSEC in that the previously highlighted issues have not been addressed, suggesting Huawei might not be able to fix larger scale issues which might arise in the future. This is the first time HCSEC has questioned whether Huawei is fit for purpose.

For Huawei, this is a wake-up call. Europe has been quite understanding and tolerant of Huawei over the last couple of months, especially considering the lobby effort from the US, though it won’t take too much to sway the balance of opinion.

This report also comes at a critical time where Huawei will need to be on its best behaviour. With the European Commission outlining new security mechanisms to mitigate risk in the 5G era, each member state will have to perform at extensive security audit. If the UK is raising the red-flag of Huawei software, and 27 other countries forensically examining all potential security threats, any minor cracks will certainly be found.

Over the next couple of months, all the European Union member states will be submitting reports identifying any risks associated with communications infrastructure. These reports could lead to the ban of products, services and suppliers. This report from the HCSEC is not the best start for Huawei.

Kaspersky Labs unveils another supply-chain threat

While the security vendor has not revealed all the details just yet, a new cybersecurity incident demonstrates how dangerous it can be to focus too acutely on a single threat in the ecosystem.

This is the trend we’ve been seeing in recent months. The rhetoric is so narrowly directed towards China and alleged puppets of the Chinese Government, few are able to talk about anything else when security is raised as a topic. With this incident, Kaspersky Labs has demonstrated threats are everywhere and nefarious actors are completely impartial when it comes to exploiting vulnerabilities.

“A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels,” Kaspersky said in a blog entry.

The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, with Kaspersky estimating one million users could be affected by the malware. The attack is similar to the CClearner incident, a remarkably sophisticated attack.

Here, Chinese speaking actors infiltrated Piriform’s compilation environment, the company responsible for developing CCleaner, software used for cleaning potentially unwanted files and invalid Windows Registry entries. This seemed to be an example of a company believing itself too unimportant to be a target, but because its software is used by other companies it was a useful way to gain entry.

The malware was distributed to just over two million users, though at this stage it only analysed the activities of the users. The first script was only used to identify 40 users who were relevant for the second-stage of the attack. The second stage was a similar targeting activity, whittling the target pool down to four, all of whom worked for high profile tech companies and IT suppliers. Those four were delivered tailored build of the ShadowPad malware, creating a backdoor to certain employees of high-profile companies.

In the ASUS example, the company has been informed and the vulnerability corrected. Details of this attack are very thin on the ground, though it has been verified by other security experts, Kaspersky Labs is waiting for the next big cybersecurity conference to unveil the full paper.

This does validate the European approach to dealing with the threat of espionage in the 5G era. A culture of impartial suspicion is the most logical and reasoned approach to risk management.

While some have been quick to ban Huawei and other Chinese vendors from infrastructure deployment, it does not solve the problem. It is a way to appease the masses, giving politicians a chance to point at the bans and promise safety.

Of course, the governments who have banned Huawei will still be on the look out for nefarious actors, but the bans simply create a false sense of security for those who are not suitably educated in the dangers of the digital economy. Effectively, the majority of society.

In the ASUS and CCleaner incidents, hackers attacked innocent organizations which many people would never consider a risk. The aim was to penetrate the supply chain somewhere suspicion wouldn’t be aroused, allowing the threat to climb through the virtual maze and find the desired target.

“Supply chain risk is one of the biggest challenges in cyber today. Tech companies issuing remote patching and remote updates to customers are increasingly targeted because of their broad, trusted relationships with their customers,” said Jake Olcott, VP Government Affairs at BitSight. “Companies must conduct more rigorous diligence and continuously monitor these critical vendors in order to get a better handle on this risk.”

The approach to security across Europe seems to be taking into account these risks. Yes, China remains under scrutiny, but by escalating the concept of risk throughout the ecosystem, threats are being mitigated everywhere. It is very easy to blame a single company or country, but it is not the most sensible approach to take.

Supply chains in the digital ecosystem are incredibly complex, bringing in different vendors from all walks of life. Some of these will be from Asian countries and some will be SMEs in South Dakota, but the strength of their own security procedures will be incredibly varied also. It only takes one weak link to compromise the entry chain.

US mulls bill for minimum IoT security requirements

A cross-party delegation of US politicians have introduced a bill which will aim to create minimum security standards for any IoT devices used by government agencies and departments.

Led by Democratic Congresswoman Robin Kelly and Republican Congressman Will Hurd, the bill has gained notable support already. While this is a perfectly logical step forward to ensure the integrity and resilience of government systems, the fact the politicians seem to be taking an impartial approach, not targeting a single company or country, is much more encouraging.

“As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure,” said Kelly. “Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices. It’s estimated that by 2020 there will be 30 million internet-connected devices in use. As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”

“Internet of Things devices will improve and enhance nearly every aspect of our society, economy and our day-to-day lives,” said Hurd “This is ground-breaking work and IoT devices must be built with security in mind, not as an afterthought. This bipartisan legislation will make Internet of Things devices more secure and help prevent future attacks on critical technology infrastructure.”

When discussing digital security, a mention of Huawei or China is never far away, but this seems to be an effort to mitigate risk on a much grander scale. Yes, the US does have ideological enemies it should be wary of, but it is critical politicians realise there are risks everywhere throughout the digital ecosystem.

It is easy to point the finger at China and the Chinese government when discussing cybersecurity threats, though this is lazy and dangerous. Having too much of a narrow focus on one area only increases the risk of exposure elsewhere. Such are the complexities of today’s supply chain, with companies and components spanning different geographies and sizes, the risk of vulnerability is everywhere. It is also very important to realise cybercriminals can be anywhere; when there is an opportunity to make money, some will not care who they are targeting. Domestic cybercriminals can be just as much of a threat as international ones.

This impartial approach, applying security standards to IOT devices regardless of origin, is a much more sensible approach to ensure the integrity of networks and safeguard sensitive data.

Of course, this is not necessarily a new idea. Many security experts around the world have been calling for a standardised approach to IOT security, suggesting certification processes with minimum standards. Such a concept has already been shown to work with other products, such as batteries, therefore establishing a baseline for security should not be considered a particularly revolutionary idea.

What is also worth noting is that while this is a good idea and will improve protections, it is by no-means a given the bill will pass into a law. A similar bill was launched in 2017, though it was quashed.

UK Government says company boards still don’t get cyber-security

The UK Government has released its 2019 ‘Cyber Governance Health Check’ which claims only 16% of executives have an understanding of cyber-security threats.

It might sound like the beat of an old drum, but eventually management teams will get the idea. Each week new reports emerge suggesting security is an under-appreciated and under-funded aspect of the digital economy, and this week the Government is throwing its own arguments forward. This report measured the attitudes of the FTSE-350 companies across the UK.

“The UK is home to world leading businesses, but the threat of cyber-attacks is never far away,” said UK Digital Minister Margot James. “We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber-attack.”

While the report suggests 96% of businesses have a cyber-security strategy in place, this might prove to be somewhat of a misleading statistic, offering misplaced comfort. The presence of a strategy is irrelevant when the funds are not being appropriately allocated to put the plan into action. If only 16% of the purse-string holders understand the threat, appropriate investments are not going to be made, therefore the problem will persist.

“This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made,” said James. “Cyber-security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available.”

Awareness of cyber-security threats are increasing, 72% of respondents to the survey acknowledge the risk of cyber threats is high, and while this is an improvement on the 52% in the 2018 report, this number is still too low.

This is the position many businesses are in. Security is a recognised threat, but with many board members under pressure to produce profitability, funds are being directed to areas which will add to the bottom line. Security is not one of these areas, though the emergence of GDPR and changing consumer attitudes should help this.

Firstly, GDPR was introduced last year, though the first punishments are beginning to be handed out. As soon as board members start to see the hefty GDPR stick swinging, punishing those who are not deemed sufficiently prepared for a cyber-security breach, attitudes will change. The fines can be eye-wateringly high, and if you want to make an executive listen to you, hit them in the wallet.

Secondly, consumers are becoming more security-conscious. With breaches becoming more widely reported in the press and scandals drawing attention to data privacy demands, consumers (and enterprise customers for that matter) are becoming more aware of what should be considered adequate. Security will soon become a factor in the purchasing decision-making process, and companies will have to prove their credentials.

The tides are slowly turning, and soon enough the digital economy might be equipped to deal with the threat of the dark web. That said, with the astronomical pace of progress, you have to wonder whether the challenge is starting to become too big for the chasing peloton.

“Cyber-security is a mainstream business risk, and board members need to understand it in the same way they understand financial or health and safety risks,” said Ciaran Martin, CEO of the National Cyber Security Centre.

Orange builds out security credentials with SecureData acquisition

Orange has announced the acquisition of SecureData, building out the increasingly extensive cybersecurity operations at the telco.

The Orange Cyberdefense Division is another one of Orange’s ventures into the world of differentiation. Like banking and smart home services, this is not a segment which is necessarily core for the telco, but with a close enough link to connectivity it’s a low risk approach to diversification. With annual sales approaching €300 million, over 1,300 employees and a presence in 160 markets, it is also fast becoming more than just an ‘other bet’.

In SecureData, Orange has bought itself more of a presence in the UK, the largest Western European market for managed security services. SecureData’s existing Security Operations Centre (SOC) in Maidstone will add to the existing 9 Cyber SOC’s and 4 CERT’s around the world. The footprint is steadily increasing, gradually making the Orange security business more appealing to both national and international customers.

“SecureData, just like Orange Cyberdefense, has successfully made the transition toward Managed Security Services, and shares the same passion for Cyber,” said Hugues Foulon, Executive Director of Strategy and Cybersecurity activities at Orange.

“Cybersecurity has become a critical element for both large and small companies as they evolve in an increasing digital-reliant world. We are convinced that the combined expertise of Orange Cyberdefense and SecureData will provide a powerful resource for our customers in ensuring the protection of their valuable data.”

While Orange has not necessarily been spraying the cash everywhere, it has steadily been building its cybersecurity credentials. Aside from this purchase, Atheos and Lexsi are two other examples, with the services now being extended to 160 different countries.

These two acquisitions do date back a few years, though in cybersecurity Orange has once again proved it can think ahead of the game. This is a segment which is only starting to get the attention it rightly, and responsibly, deserves but it has been an ambition for Orange for years.

A recent survey from Tripwire claims 60% of respondents were more concerned about IoT security in 2019 compared to the previous year. IoT is a blossoming segment, an opportunity many companies will want to take advantage of for both new revenues and operational efficiency, but few know how to keep themselves secure. The perimeter of the network is about to vastly expand, but right now it is nothing more than a risk. Security needs to radically rise up the agenda.

Like getting ahead of the fibre trends across Europe, Orange looks like it onto a winner with a focus on cybersecurity. With tighter regulations on data protection and privacy, combined with increased public backlash with recent breaches and leaks, as well as new business models, security is becoming more of a priority for companies. The low-risk, long-thinking approach from Orange definitely looks to be paying off.

Cybersecurity investments on the up but not sustainable – study

Research from Strategic Cyber Ventures points to an increased appetite for cyber security investments, but the euphoria sweeping the segment forward is not sustainable.

On numerous occasions we have commented security is the ugly duckling of the technology world. It is critical to ensure the industry, and digital society on the whole, functions appropriately, though more often than not it is ignored. There will be numerous reasons for this, perhaps because security is a thankless and often impossible task, but the data suggests 2018 might have been a watershed year.

Not only did 2018 see $5.3 billion in global venture capital funding, 81% more than 2016, M&A activity increased as did private equity investments. On the M&A side of things, Cisco made a bang with a $2.4 billion acquisition of Duo Security, while Blackberry acquired Cylance for $1.4 billion. These are two of the larger deals, though there was increased activity in the segment across the period.

In terms of private equity, Barracuda Networks was acquired for $1.6 billion by Thoma Bravo, Bomgar by Francisco Partners for $739 million, while Blackrock spent $400 million on Cofense. Elsewhere in the more complicated financial world, Skyhigh Networks acquired McAfee with assistance from its financial sponsors Thoma Bravo and TPG Capital.

Cybersecurity one

Overall, the trends for the security segments are heading in the right direction. Perhaps now this is an area which will be taken more seriously by the industry, with adequate investments heading into security department.

That said, Strategic Cyber Ventures has warned the trends from a funding perspective are not exactly the most favourable. The amount of cash being invested is increasing, though it does not appear the rewards are reflecting this. Some of these companies have raised funds through big rounds, but growth has slowed, perhaps due to vendor fatigue or increased competition. The risk here is firms cannot raise additional funds at increased valuations from prior rounds, meaning they will have to lean on existing investors. Eventually these parties will grow tired of keeping them alive for minimal rewards.

The issue here is the need and hype around security. Its critical to secure the expanding perimeter of the digital economy, creating the need for the segment, while executives constantly talk about security being a number one priority of firms, creating the hype. This would seem to be the perfect recipe for investment in security companies and start-ups. However, the segment hasn’t taken off, perhaps due to the preference of customers investing in technologies which will make the company money as opposed to more secure?

This is maybe the most accurate assumption on why the security segment has faltered continuously over the years. Companies have limited spending power with executives choosing to invest in areas which will make the company more profitable, such is the pressure from investors and shareholders. However, consumer attitudes might be changing.

While many would have ignored the security risks of the digital economy in years gone, today’s consumer is more educated. Privacy scandals have demonstrated the power of data forcing the consumer to consider security more critically. This might have an impact on future buying decisions.

According to research by Onbuy.com 60% of US and 44% of UK consumers believe there is a risk to personal safety in the sharing economy, while 58% of all the respondents believed the risks outweigh the benefits in the sharing economy. Such attitudes will force companies to consider their security credentials as there is now a direct link back to the bottom line.

What this means for VC funding and investments from around the ecosystem remains to be seen, though the tides are turning in favour of the security segment. As Strategic Cyber Ventures notes, the current levels of investment are unsustainable, but there certainly are rewards.

Internet giants decide US government has nothing to offer security talks

A coalition of internet giants have decided to have a meeting to discuss cybersecurity and misinformation during November’s US mid-term elections, but the government didn’t make the invite list.

It isn’t often the worlds tech giants all get along, but this seems to be an area which they can all agree on. Something needs to be done to remove a repeat of the controversy which has constantly stalked Donald Trump’s Presidential win, and it isn’t even worth bothering listening to the opinions of the government.

According to Buzzfeed, Nathaniel Gleicher, Facebook’s Head of Cybersecurity Policy, called the meeting, inviting twelve other organizations but the government was not on the list. The snub seems to follow a similar meeting in May, where each of the invitees left feeling somewhat disappointed with the government contribution. We can only imagine Department of Homeland Security Under Secretary Chris Krebs and Mike Burham from the FBI’s Foreign Influence Task Force simply sat in the corner, one holding a map and the other pointing to Russia shouting ‘we found it, we found it, look, they don’t even do water sports properly’.

“As I’ve mentioned to several of you over the last few weeks, we have been looking to schedule a follow-on discussion to our industry conversation about information operations, election protection, and the work we are all doing to tackle these challenges,” Gleicher wrote in an email.

The meeting will take place in three stages featuring the likes of Google, Twitter, Snap and Microsoft. Firstly, each company will discuss the efforts they have been making to prevent abuse of the platform. Second will be an open discussion on new ideas. And finally, the thirteen organizations will discuss whether the meeting should become a regular occurrence.

While interference from foreign actors has proved to be a stick to poke the internet giants in the US, criticism of the platforms and a lack of action in tackling misinformation has been a global phenomenon. European nations have been trying to hold the internet players accountable for hate speech and fake news for years, but Trump’s Presidential win is perhaps the most notable impact misinformation has had on the global stage.

With the mid-term elections a perfect opportunity for nefarious characters to cause chaos the internet players will have to demonstrate they can protect their platforms from abuse. Should abuse be present again, not only would this be a victory for the dark web and the bottom dwellers of digital society, but it will also give losing politicians an opportunity to shift the blame for not winning. While this meeting is an example of industry collaboration, each has been launching their own initiatives to tackle the threat.

Facebook most recently revealed it scored users from one to ten on the likelihood they would abuse the content flagging system, and has been systematically taking down suspect accounts. Twitter has algorithms in place to detect potential dodgy accounts and limits the dissemination of posts. Microsoft recently bought several web domains registered by Russian military intelligence for phishing operations, then shut them down. Google has also been hoovering up content and fake accounts on its YouTube platform.

Whether the internet giants can actually do anything to prevent abuse of platforms and the spread of misinformation remains to be seen. That said, keeping the bundling, boresome bureaucrats out of the meeting is surely a sensible idea. Aside from the fact most government workers are as useful as a bicycle pump in a washing machine, Trump-infused politically-motivated individuals are some of the most notable sources of fake news in the first place.

Cybersecurity for the Fourth Industrial Revolution

Telecoms.com periodically invites third parties to share their views on the industry’s most pressing issues. In this piece Cormac Whelan, CEO UK & Ireland, Nokia Networks looks at how the cybersecurity landscape is evolving.

The Fourth Industrial Revolution, the increasing connectivity of our lives and businesses, is driving business transformation and improving the lives of employees and customers globally. But there’s a darker side to this increased mobility and interconnectedness in the form of security risks that grow exponentially as more data and business operations move to the cloud. Quicker, smarter cloud apps that power business growth are also driving a quickly evolving threat landscape, with at least 360,000 new malicious files detected every day in 2017 (an increase of 11.5 per cent from 2016).

The UK Government’s Cyber Security Breaches Survey 2017 found that almost seven in 10 large businesses identified a breach or attack last year. What’s more, businesses holding electronic data about their customers were far more likely to be compromised than those that didn’t. In tandem, governments, utilities and public services are also at greater risk than ever. An attack resulting in loss of connectivity or equipment damage can leave an entire city without electricity.

The recent WannaCry ransomware attack affected some 400,000 computers in over 150 countries and resulted in major outages in key services such as healthcare, transport and banking. As more and more data gets stored on mobile devices, the risk of attacks increases.

With every business, financial institution, telecoms provider, energy company and government at risk, the only effective response is a defence strategy to protect assets. Operators need to think not only about how criminals can gain access to their networks, but also what they do when they are inside. Temporary loss of files, compromised software or systems, permanent loss or change of files or personal data, lost access to third party systems, money assets or intellectual property stolen – all are possible in any number of combinations.

Identifying risk

Think of this like a large building with black and white windows. In order to repair the building, you need to find the black windows – analyse the problems to find where threats and viruses can come in. The broken window then needs to be fixed; a new window or a new frame (implementing the right solution and software). To add to the complexity, the windows are constantly changing, so continuous monitoring is needed to keep up. Only through these four elements – the right assessment, the right solution, the right software, and the right monitoring, can the building be secured.

Of course, this was much easier when data was operators’ own and applications were hosted internally. Companies had their own servers and could install a firewall. Now, to defend assets operators need qualified security professionals, a good understanding of vulnerability of important domains and a continuous up to date management. Even with talented staff in place, the threat landscape changed, with new viruses, new systems and new types of software and approaches needed.

New vulnerability through the Internet of Things

Cybercrime is moving from computers to mobiles and the Internet of Things. Mobile network infection has gone up by 63% and 50%of those attacks are very serious, with ransomware spreading easily into networks. All new devices that connect into an operator’s network are new vulnerability points and this pool is growing daily as the IoT booms. In the near future, every area of our life will be connected by a sim card and the vulnerability this brings along with the potential for device loss or theft is huge.

Alongside the business impact of network attacks (such as lack of network, impacting critical operations), there’s the very real risk of private data loss. Not only can enterprise problems cause consumer problems through lack of access or loss of service, but companies are responsible for keeping the customers, and their data, safe. Regulations, particularly in the EU, mean that if a virus at the network level allows a hacker to steal 9 million credit card details, the company responsible for the data loss will be held to account.

Preparing for the Fourth Industrial Revolution

Now is the time for companies to start thinking about the vulnerabilities the Fourth Industrial Revolution and ever-expanding Internet of Things will expose. Keeping operations and customers safe needs to be firmly front of mind, both in terms of companies’ own networks and applications, but also in terms of where a network interacts with others.

It’s a complex puzzle and it can be difficult to know where to start, but only by undertaking a thorough assessment and benchmarking against industry averages can an operator create an improvement plan and take steps toward becoming ready for potential security risk. With a plan in place, it is possible to identify the right solution, implement the right software and have a deeper understanding of the monitoring required to keep the business safe. Keeping data safe will be an essential part of realising the benefits and potential of the Fourth Industrial Revolution.

 

Cormac WhelanCormac is currently the CEO for the UK & Ireland at Nokia, having taken up this role in January 2016. In this role he leads all operations for the UK & Ireland markets including sales, business management, delivery and operations. As a senior executive over more than two decades in a number of global blue-chip organisations, Cormac has extensive experience is sales, marketing and business development. In addition he has proven expertise in strategic planning and driving transformation and change management in large scale businesses.