Europe’s security vision undermined by lack of compulsory requirements

For the most part, companies have to be forced to take security seriously, but perhaps these changes are on the horizon in Europe at least.

Cybersecurity is always a topic of conversation which is never too far away, though you have to question the substance behind the statements. Security and privacy are always top priorities for a company if you listen to the CEO, though the fact that security breaches still persist undermines these bold claims.

To be fair to the companies involved, this is a fast-paced and ever evolving aspect of the technology landscape. Is there such thing as 100% secure? No. Can the companies do more to protect their customers? Yes.

This is where the European Commission plays a critical role in developments. Speaking at Broadband World Forum in Amsterdam, Julie Ruff. Directorate for Digital Society, Trust & Cybersecurity, outlined the challenges, as well as the ways and means to combat these threats, and the telcos will be central to these efforts.

“First of all, they are obvious targets for cyber-attacks [the networks], very attractive targets,” said Ruff.

“The networks can be used as vectors for attack.”

The network is the lynchpin for tomorrow’s economy, the backbone of the virtual world. It’s the digital superhighway which connects anything, everything and everyone. The networks owners need to lead from the front, but they are not the only character in this nefarious saga.

As part of the latest iteration of the Cyber Act, the European Commission has introduced a certification framework for ICT digital products, services and processes. This framework will provide a comprehensive set of rules, technical requirements, standards and procedures to ensure consumers and businesses are protected from the dangers lurking in the dark corners of the world wide web.

This is all well and good, but here is the major problem; the certification process is currently voluntary.

At the largest companies, resources can be redirected towards such initiatives to ensure the demands and nuances of the framework are being adequately met. However, this is not going to be the biggest problem the digital economy will face. The start-ups and SMEs, those who can easily find other means to spend valuable and limited funds, will not voluntarily direct investment towards cost-centres and away from profit-builders.

However, with more risks being realised further afield in the ecosystem, a comprehensive approach to security is needed everywhere and anywhere. As Ruff pointed out during her presentation, the interconnected nature of the digital economy means that cybercriminals can infiltrate networks through weak points in the chain.

This is where the European Commission needs to move forward to ensure the certification framework is compulsory not voluntary. It might come as a financial burden to the start-ups, but it is the only way to most effectively mitigate risk. The investments being made by multi-nationals and telcos could be completely undermined by a rogue device connected to the network.

For the digital economy to be anywhere near ‘safe’, connected devices, whatever they may be, need to be secure out of the box and providers need to ensure timely and regular security updates. Unfortunately, this perfect scenario can only be achieved through effective regulation and a compulsory certification framework.

A good vision has been outlined by the European Commission, but this needs to be backed-up by effective and compulsory regulation.

US security concerns rubbished by industry and academic feedback

If you thought the UK’s Supply Chain Review was coming to an end, think again as policy makers have been given more food for thought as part of the 5G infrastructure and national security inquiry.

Entitled ‘Ensuring access to ‘safe’ technology’, Parliament’s Joint Committee on the National Security Strategy has opened itself up to public comment. Although it comes as little surprise, the feedback is relatively consistent; let the industry work with Huawei and take a risk-based approach to managing infrastructure and networks.

For those looking across the Atlantic, there might be some hurt feelings. Business and academics from across the UK have largely panned concerns, albeit in very polite wording, suggesting that while there are security standards and regulations to ponder, the US rhetoric is largely not supported by evidence and undermined by its own actions.

Submitted to the inquiry mid-way through last week, the team at Oxford Information Labs makes a very valid point regarding Huawei’s entry onto the Entity List:

“The ban was immediately suspended for 90 days, and that suspension was continued for a further 90 days in August 2019, casting doubt on whether Huawei really did represent an immediate ‘national emergency’ as originally claimed.”

Many might have contemplated this opinion, but few have vocalised it. If Huawei is such a threat to US citizens and business, why has the US Government so easily allowed it to continue to do business within its borders? If the White House propaganda is to be believed, Huawei should be erased from the Land of the Free, though the US Government has continued to validate its presence through the two exemption periods.

There is of course the damage to US businesses to take into account but suspending the enforcement of the ban does undermine the insistence that Huawei is the tip of the Chinese sword.

Another point to consider, which is constantly overlooked, is the depth of evidence to support the wild claims of the White House.

“The US Congress has a long history of making accusations against Huawei, though it has never produced any technical evidence to show that it has undermined the security of its network equipment or that it has impaired the performance of or shutdown networks using its equipment,” said Ewan Sutherland, a telecommunications policy expert from the University of the Witwatersrand.

From a personal perspective, your correspondent feels this is an element of the saga which should be taken very seriously. Due to market consolidation and the intensive R&D demands of 5G, there are already few suppliers for the telcos to consider. If one or two of the major players are to be removed from the supply chain, this is a significant decision to make. Evidence should be at the heart of these actions.

This is an element of the debate which everyone should take into account. Huawei has no material presence in US networks, aside from working with a small number of regionalised players. The US does not have to take an evidence-based approach to banning Huawei, as there is little consequence. Other nations, who have existing relationships with Huawei, must take a much more contemplative approach as there are much more serious implications.

The call for Huawei to be managed as opposed to banned is one which has echoed out of the offices for some time. Vodafone has consistently called for a risk-based approach to procurement, while Three in its evidence to the inquiry has demanded the delay to deployment be minimised. This would appear to be the rational approach, though the UK Government does seem hard-pressed to support it.

This is where the telecommunications industry has backed itself into a corner. In the pursuit of a more cost-efficient supply chain, consolidation has been rife. Alcatel, Lucent, Motorola and Nortel were all victims of the consolidation trends, streamlining the number of suppliers who can offer services to the telcos at scale. Telcos now have to look at Chinese vendors to ensure there is competition.

In an ideal world, the UK or US Government might be able to point to a domestic supplier and suggest more products and services are sourced there. This would allow the Government to have more of a handle on development requirements, and despite the suggestion of a new player emerging, this is unlikely to have any material impact on 5G.

“Perhaps, the United States will push or support the creation of a new manufacturer of RAN, though it would need to be for 6G or 7G, rather than 5G,” said Sutherland.

The likes of Huawei, ZTE, Ericsson and Nokia have been investing in 5G R&D for close to a decade and have already begun 6G investigations. What chance would a new, standalone player have in penetrating this market within the next 10-15 years?

Looking through all the submissions, there seems to be a consensus. There are only three network vendors who can realistically support rapid 5G network deployment at scale, and Huawei happens to be one of them.

Regulators do need to have a much more considered approach to acquisition and mergers in the future, if not for any other reason as to avoid the bureaucratic congestion which we are seeing through this entire Supply Chain Review process.

Another interesting takeaway from the evidence which has been presented, is the desire to remain closely aligned with Europe following Brexit. This should not be considered new either, though perhaps this could build a bridge to repair the damage done by posturing politicians during the Brexit negotiations. Let’s not forget, Europe is the UK’s largest trading partner, and this will not change any time soon; relationships will have to be re-forged following the divorce.

Last week, the European Commission collated all responses from member states into a white paper which said very little which was not already known. 5G presents more of a security threat than generations prior, while state-sponsored attacks are becoming more of a risk. While this might have been seen as busywork, it was a necessary step in the bureaucratic maze to getting something done.

Over the coming months, member states will submit more evidence and recommendations to create what could become a pan-European approach to mitigating risk and rolling out 5G networks. What the submissions are suggesting to the UK Government is that any future proposals on the Isles align as closely as possible to what our European cousins are suggesting. Not only does this provide international consistency, it is a sign of good faith for future trade and political relationships.

Although this is not the end to the protracted evaluation of Huawei and the role of Chinese vendors in the UK network infrastructure segment, it does paint a very strong case for inclusion.

Europe has proven to be a key battle ground in the increasingly fraught conflict between the US and China, and few companies are more exposed to the risk as Huawei. This is a vendor which captures billions in profit in its domestic market, as well as across Asia, though Europe contains a significant number of very prominent customers. However, the trends do seem to be heading the right direction.

Germany has recently said it would not legislate Huawei out of the country, Italy signed a Belt and Road Initiative deal with China in March 2019, Belgium has conducted its own review without consequence to the vendor, while France and the Czech Republic have given warnings but not definitive action. While it is still anyone’s best guess, the UK looks like it is heading towards a risk-based position, potentially enforcing a multi-vendor approach to procurement.

Of course, while logic and behaviour suggest this is the most likely outcome, there is a lot which can go wrong. The UK will have to balance up the impact on existing and potential relationships, especially its standing in the valuable Five Eyes intelligence community.

At some point in the future, the Government is going to have to make a decision. The prolonged review of the supply chain does not sit beside political ambitions for a rapid rollout of 5G or the accelerated timeline for a full-fibre nation. The longer this review takes, the less likely it is the UK will be a major player in the digital economy.

Europe publishes 5G security report to state the obvious

After months of deliberation and consideration, the European Commission has published a report which comes to some fairly obvious conclusions on 5G security.

Although few would have expected something substantial from the bureaucrats, the published report seems to offer little to no insight or additional information. Once again, the Brussels brigade is showing how painfully slow progress can actually be.

“Today, Member States, with the support of the Commission and the European Agency for Cybersecurity published a report on the EU coordinated risk assessment on cybersecurity in Fifth Generation (5G) networks,” a statement reads.

“This major step is part of the implementation of the European Commission Recommendation adopted in March 2019 to ensure a high level of cybersecurity of 5G networks across the EU.”

In short, the report comes to a few conclusions:

  • Poor software development process could be a danger
  • Certain pieces of network equipment or functions are becoming more sensitive, base stations for example
  • State-backed threats are the highest concern
  • Telcos are too dependent on a small number of suppliers, some of whom could be considered a security right
  • Threats to communications infrastructure should be considered a security risk

Amazingly, the European Commission has managed to create a 33-page report, which says nothing significant or particularly useful. Everything which has been stated is already known by those paying attention, though we suspect there would be a few politicians who would benefit from reading the report.

So, what does the report actually mean? Nothing for the moment. If anyone was expecting any action will be wildly disappointed, though the European Commission is suggesting member states create action plans to compensate for the increased risk. As you can imagine, there is little rush to complete these action plans, as the European Commission has given a deadline of October 1, 2020.

Every now and then the European Commission reminds us how painful bloc-wide bureaucracy can be, and this report has proven to be an excellent example. At some point in the future, the bureaucrats might create official security guidelines and regulation for member states to follow, though this is unlikely to be done in a timely manner.

du brushes aside Huawei security concerns

UAE telco du has confirmed it will continue to work with Huawei, ignoring the security complaints and warnings passing across the Atlantic from the White House.

Speaking to Reuters this weekend, du CTO Saleem Albalooshi said the telco would continue to work with the under-fire vendor as 5G deployment plans gather pace.

“Huawei is our partner in rolling out our 5G network,” said Albalooshi. “From a security perspective, we have our own labs in the UAE, and we visit their labs, we have not seen any evidence that there are security holes specifically in 5G.”

Although it does not necessarily attract the same headlines as elsewhere, the 5G revolution has been gathering pace very quickly in the Middle-East, with du one of the most advanced telcos.

Alongside competitor Etisalat, du launched its 5G networks in June. And if eye watering download speeds weren’t enough to attract the interest of consumers, du also said it was giving away free Axon Pro10 handsets from ZTE for those who pre-registered to the service.

In making this statement, the UAE becomes the latest nation to defy demands from the US, risking the intelligence-sharing relationship in place between the two countries.

“Of course, this is definitely a concern, but such a thing is the government’s decision,” said Albalooshi. “We follow our government’s roads and we are governed by the regulator.”

This is becoming an increasingly common threat from the US, though it might find itself very isolated before too long. Although losing valuable intelligence from the US is a considerable threat, the same risk goes the opposite direction. If the US severs all the relationships it has promised, it will soon find itself missing a lot of insight.

To date, the threat has been directed towards the UK, Germany, India, certain states in Eastern Europe, and most recently, Italy.

The US is a powerful voice in the international political community, but perhaps it is not as influential as it believes. The number of countries who are choosing to ignore the requests of the US are starting to add up.

UK, US and Australia demand security delay from Facebook

Politicians from the UK, the US and Australia have penned an open letter to Facebook CEO Mark Zuckerberg requesting the team delay end-to-end encryption plans.

Signed by UK Secretary of State Priti Patel, US Attorney General William Barr, Acting-Secretary of Homeland Security Kevin McAleenan, and Australian Minister for Home Affairs Peter Dutton, the letter requests that before any encryption technologies are applied to messaging services Facebook includes a means for enforcement agencies to access the content transmitted across the platforms.

Once again, politicians are defying logic by requesting the creation of a backdoor to by-pass the security and privacy features which are being implemented on messaging platforms and services.

“We are committed to working with you to focus on reasonable proposals that will allow Facebook and our governments to protect your users and the public, while protecting their privacy,” the letter states. “Our technical experts are confident that we can do so while defending cyber security and supporting technological innovation.”

It is as if the politicians do not live in the real world. We understand governments have a duty to protect society, and part of this will include monitoring the communications and activities of nefarious individuals, but this is not the right way to go about doing it.

Using the argument of security to undermine security and make citizens less secure is a preposterous idea, almost laughable. The ‘technical experts’ might be confident a backdoor can be built, but how do you protect it? This letter is requesting the construction of a vulnerability into security features, and once a vulnerability is there, it is only a matter of time before it is exposed by the suspect individuals in the rotting corners of society.

What is being suggested here is similar to building a high-security facility in the real world, with 15-foot, electrified walls, guards and watch-dogs, helicopters patrolling overhead, but then asking to leave the backdoor unlocked. It doesn’t matter how good defences are, eventually someone will find their way to the backdoor, open it and then let all his/her friends know how it was done. Chaos would eventually find a way.

This is of course a theoretical situation, the hackers might never find a way to or through the backdoor, but why tempt fate? No-one leaves their home believing they might be burgled that night, but they lock the door in any case. Why create a situation where the prospect of chaos is a possibility, irrelevant as to how faint? This seems like nothing more than simple logic.

As mentioned before, police forces and intelligence agencies are being tasked with keeping society safe. This is a very difficult job, especially with the progress of technology. Facebook, and others in the technology industry, should assist wherever possible (and legal), though this is not the right way to go about the situation.

This does put Facebook in a difficult position. The company is currently attempting to repair the damage to its reputation, as well as re-gain trust from both governments and wider society. However, it is increasingly looking like an impossible situation to satisfy both parties.

In March, Facebook CEO Mark Zuckerberg outlined a new focus for the company; it would hold the concept of privacy dear, and all new services will be built with privacy at the forefront of demands. Thanks to the Cambridge Analytica scandal, Facebook’s reputation as a guardian of personal information has been severely damaged, thus this new approach is critical to regaining credibility in the eyes of its users.

However, end-to-end encryption is a key element of this privacy strategy. Facebook cannot fulfil its promise to the user and satisfy the demands being laid out in this letter. If it was to build in a vulnerability, it could not tell the user in all honesty it has done everything possible to ensure security and privacy.

As the letter states, Facebook is doing more to clean-up its platform.

“In 2018, Facebook made 16.8 million reports to the US National Center for Missing & Exploited Children (NCMEC) – more than 90% of the 18.4 million total reports that year,” the letter states. “As well as child abuse imagery, these referrals include more than 8,000 reports related to attempts by offenders to meet children online and groom or entice them into sharing indecent imagery or meeting in real life.”

This is the situation which Facebook is in. It is never going to be able to remove all the hideous conversations and activity on its platform, but governments will demand it does. Something will always slip through the net, and the sharp stick of the law will be there to punish the company. Facebook will never be able to do enough to satisfy the demands of governments, and therefore will always be a defensive position.

However, you should not be distracted by the rhetoric which is being put forward in this letter. Yes, there are some horrendous activities which occur on the platform. Yes, Facebook should, and probably could, do more to assist police forces and intelligence services. Yes, the digital economy has largely shirked responsibility in the years leading to today. But no, building vulnerabilities in the system is not the right way forward.

These politicians are saying the right things to gain public support. These actions are in the pursuit of catching child molesters and terrorists; who wouldn’t want to help? But you have to look at the collateral damage. Users would be left open to identify theft, fraud and blackmail. These messaging platforms are used to have private conversations, exchange bank account details and discuss holiday plans. The number of criminals which could be caught is nothing compared to the billions who would be exposed to hackers on the web.

The idea which is presented here does have good intentions, but it pays no consideration to the collateral damage. The negatives of introducing a backdoor vastly outweigh the positives.

Quite frankly, we are still surprised to be having this conversation. Undermining security is no way to improve security. Governments need to understand this is not a viable option.

Security attitudes are improving but most don’t want to take responsibility

While there is growing momentum in the cybersecurity world this, ironically, might create a false sense of security and reality-check every now and then is always helpful.

A survey from Microsoft and insurance broker Marsh has highlighted some progress in the cybersecurity world, however there are still monumental risks which are worth highlighting. This is the encouraging, but humbling point which is being made by the duo here. Perhaps one of the most worrying is the attitude of security is someone else’s responsibility.

Only 19% of large enterprise organizations believe they pose a risk to the supply chain, which is certainly not the case. It does appear these companies believe the responsibility of securing the ecosystem should be dealt with by someone else.

“Despite the decline in organizational confidence in the ability to manage cyber risk, we’re optimistic that more organizations are now clearly recognizing the critical nature of the threat and beginning to seek out and embrace best practices,” Joram Borenstein, GM of the Cybersecurity Solutions group at Microsoft, wrote.

“Effective cyber risk management requires a comprehensive approach employing risk assessment, measurement, mitigation, transfer, and planning, and the optimal program will depend on each company’s unique risk profile and tolerance.”

Cybersecurity as a topic is now being considered the biggest risk to the organization and executives are playing a more prominent roles in developing and communicating these strategies. However, there are some elements to cybersecurity which is going to have a negative impact on the business, as you can see from the images below.

The extracts from the survey are quite varied, but they do illustrate a few interesting points which we would like to make in regard to cybersecurity.

Firstly, the attitude of the business. With 50% of respondents suggesting the business benefit of new technologies outweigh the risks, customers (either corporate or consumer) have to understand this. Suppliers or providers are commercial businesses which aim to make money for owners or shareholders. The risk of cybersecurity is tolerable as decreasing this risk might be unfeasible commercially.

This is not necessarily a bad thing, we live in a capitalist society after all and there is no such thing as 100% secure, though it is always worth remembering this nuance.

Another interesting element of the attitude towards cybersecurity risk is the evaluation of risk. Only 5% of companies are evaluation the cybersecurity threat at every possible element of the life-cycle, taking into account both the period prior and post purchase. Perhaps there is a belief that once a new technology or system has been installed it is safe, but this is of course not the case. It might also be down to the idea some are passing on the responsibility of security and resilience.

This is perhaps a problem which is a hangover from a bygone era. The responsibility of cybersecurity has to be shared throughout the ecosystem. If anyone shirks this responsibility, the supply chain is potentially corrupted and the threat passed onto other organizations. This is the new connected society, risk is shared amongst partners, customers and suppliers.

Of course, the introduction of new technologies will only heighten the threats which are present, this is always the case when companies and/or individuals venture into the unknown. However, it does lead us onto the final point; regulation.

Only 28% of the respondents believe current laws and regulations are fir for purpose in today’s society. The sheer velocity and variety of new technologies being implemented will not help sluggish bureaucrats catch-up either.

Although there are plenty of negative points to focus on here, the industry is heading in the right direction. Cybersecurity is heading in the right direction, there is more money being invested and attitudes are more focused, but the risks are becoming increasingly acute. Progress, but still persistent worries.

Apple tells Google to stay in its lane over security claims

Apple has hit back at a Google blog post, which emerged last week, suggesting its rival in the smartphone OS segment was ‘stoking fear’ amongst its users.

The presence of vulnerabilities is nothing to be too surprised about, though when the owner of one smartphone OS points out said vulnerabilities to a rival, egos are always going to flare up. This appears to be the case here, with Apple offering its rebuttal to the Google claims, attempting to calm the waters.

“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised. This was never the case,” the statement reads.

Firstly, Apple claims the vulnerability was narrow, not broad-based as suggested by the Google blog post. Fewer than 12 websites were able to exploit the vulnerability. Secondly, Apple has claimed these websites were only operational for two months, as opposed to the two-year period which Google is claiming.

The vulnerabilities were reported to Apple in a responsible fashion in February, though last weeks blog from Ian Beer of Google’s Project Zero is what is irking Apple.

What Google pointed out to Apple in February is that there were several nefarious websites which exploited a flaw in the iOS programming to allow hackers access to iPhone users’ contacts, photos and location, as well as data from apps like iMessage, WhatsApp, Telegram, Gmail and Google Hangouts.

The vulnerability covered each version of the OS from iOS 10 through to the latest version of iOS 12, though it was not immediately clear from the blog post whether any data was actually taken from users. Apple has not offered any insight here either.

As mentioned before, the idea of searching for vulnerabilities is not new. Bug Bounties are often offered to individuals and companies to find and report the flaws to the company which owns the software in a responsible manner. Interestingly enough, bug bounty platform HackerOne has recently announced it has raised $36.4 million in a series D round of funding led by Valor Equity Partners.

We suspect Apple isn’t that concerned about a flaw being highlighted, its more who did the highlighting.

Aside from a few very minor ‘also rans’, the smartphone operating system market is dominated by two players; Google’s Android and Apple’s iOS. This is where you have to take the severity claims about the vulnerabilities with a pinch of salt; it is of course in the benefit of Google to make the vulnerabilities seem as serious as possible.

The publication of the Google post could have come at a better time for Apple considering it is set to unveil its latest iPhone tomorrow (September 10).

“A lack of 5G support in the new iPhone won’t surprise anyone, though it will still disappoint operators looking for 5G devices to help them drive traffic to new 5G networks,” said Peter Jarich, Head of GSMA Intelligence.

“At the same time, new features that are expected – improved camera functionality, improved processor, upgrade to Wi-Fi 6 – may all seem incremental rather than revolutionary, particularly if the product line and form factor line-ups remain relatively constant.”

As it is unlikely the new iPhone will offer anything particularly innovative or revolutionary, combined with the high likelihood of it costing a small fortune, Apple will want to quash any negative connotations. The iLifers are extremely loyal, but with 5G attracting headlines around the world, some might be tempted to jump ship to a 5G-compatible device. Google’s claim of vulnerabilities might encourage a few more.

Huawei hasn’t given up on Australia as it plugs 6G smarts

Even though Australia blindly followed the US down the Huawei-accusation rabbit hole, the Chinese vendor hasn’t given up on the country, using the 6G carrot to tempt the Aussies back into the fray.

Speaking at the Emerging Innovation Summit in Melbourne, a Huawei executive suggested Australian decision-makers have been short-sighted in addressing cyber-security concerns.

“The current approach being taken towards cyber-security on 5G mobile networks solves absolutely nothing – and that will be exposed further in 6G,” said Huawei Australia Chief Technology and Cyber Security Officer David Soldani.

This is of course assuming Huawei is an innocent party, though as little (if any) concrete evidence to prove guilt has been presented to date, the fair position would be to maintain this assumption of innocence.

“Blocking companies from certain countries does nothing to make Australia any safer from cyber-security issues – in fact it just makes things worse because they are not addressing the real issues on cyber-security.”

This is a point which has been raised frequently but those who advocate the inclusion of Huawei in communications infrastructure moving forward. Banning a certain company or technology from networks does not tackle the issue. For some, the most sensible route forward would be that of risk mitigation, an approach Vodafone in the UK has been very vocal about.

“Huawei is already way ahead of our rivals on 6G research and we can see that the way in which we will be gathering and consuming data on those 6G networks means the cyber security risks will increase,” Soldani added.

Although it might encourage moans from some corners of the industry, 6G is becoming a very real and increasingly important facet of the connectivity mix. 5G is of course not a reality yet, but for the R&D engineers, the job is complete. Work has moved out of the research labs and into production; for these employees it is onto the next task; 6G.

This is another common message which has come out of the Huawei ranks over the last few months; it is critical to work with us, not ignore us. And many of those on the technology side would agree also.

The reason the prospect of a Huawei ban is such a divisive and persistent topic is relatively simple; Huawei produces excellent products. Not only are these products cheaper, while the field support offered to telco customers is largely unrivalled, the products are genuinely at the top of their field. There are large crowds who would suggest Huawei is market leader on in the radio and transmission segments.

“The communique from the Five Eyes was absolutely clear that countries need to ensure entire supply chains are trusted and reliable to protect our networks from unauthorized access or interference,” Soldani said.

“This means there is absolutely no point in simply banning companies from certain countries – it actually makes Australia less secure because it means we have to then increase our reliance on just one or two other vendors – neither of whom are having their equipment tested.”

This is another point which, once again, has been thrown around quite often by Huawei, but is also valid; no-one is 100% free of cybersecurity risk. By reducing the number of attack points for cyber-criminals, arguably it becomes more difficult to defend and the chances of a breach increase.

These are all perfectly valid points, but Huawei is trying to prove a negative here. Nothing which can be said or presented to the world would completely exonerate the firm of suspicion, especially with the US Government constantly hinting there is evidence of wrong-doing. The fact that no-one outside the White House or the Foreign Department has seen this evidence does appear to be irrelevant to some, though that is not to say it does not exist.

This issue is quite frankly becoming tiresome. Of course, governments around the world have a duty to ensure companies are acting responsibly through the sourcing and deployment of secure and resilient products, but the issue is become tedious to discuss week on week. Unfortunately, as the UK Government continues to kick the can down the road, the debate is likely to continue.

Although the UK is finding it difficult to maintain friendships with its peers inside and outside of the European Union, it is still an incredibly influential voice. The Supply Chain Review has attracted interest from numerous parties around the world, and the decision will be carefully scrutinised. It might be rubbing nations up the wrong way with Brexit, but its opinion still matters.

Some nations of course benefit from the on-going stand-still and some don’t. The UK doesn’t benefit as telcos are still no wiser whether supply chains will be in tatters and numerous other countries that rely on Huawei, Germany, Spain or Italy for example, are in the same boat. Australia is in a tricky position as banning Huawei limits the options which are out there. This present complications from a resilience and competition perspective.

The US appears to be one of the few nations which is not going to be impacted. Deployment might be a bit more expensive due to decreased competition, but the telcos have never had the opportunity to include Huawei in plans so there is no disruption from this on-going saga. The US might well be a lost cause, but it does appear Huawei believes it can charm Australia back on-side.

Huawei might not have given up on Australia, but as long as the White House is singing from this hymn sheet, it is likely to be nothing more than a Sisyphean task.

ZTE gains confidence on the back of solid earnings growth

Perhaps ZTE has just been enjoying an uncomfortable silence and an expensive milkshake in recent months, but its financials for the first half of 2019 are screaming for attention.

It is quite difficult to measure the performance of the business looking at the financials alone, ZTE found itself in the Trump crosshairs in H1 2018, though the team is hyping itself up now, seemingly to gain attention in a very noisy segment. ZTE is often overlooked when considering the major network infrastructure vendors, but it certainly does warrant mention.

Revenues for the first half of 2019 stood at roughly $6.23 billion, up 13.1% year-on-year, profits increased a massive 118% to $210 million. The team is now forecasting profits between $530-640 million for the first nine months of the year.

These numbers might sound very impressive, but it was at this point last year when President Trump and his administration targeted ZTE. In May 2018, ZTE announced its major operating activities had ceased after the US Department of Commerce’s Bureau of Industry and Security (BIS) placed an export ban on the vendor. Without the US complement in the ZTE supply chain, the firm was almost extinct, though concessions were made and now it appears it is business as usual.

This is why the year-on-year gains are largely irrelevant. ZTE was a shell of a company at this point last year, fighting for its very survival.

That said, the company is surging towards the 5G finish line just like its rivals, and now it needs to convince potential customers it is a stable, reliable and innovative partner. Being selected to supply equipment to any telco will be after intense scrutiny, and thus the charm offensive has begun.

First of all, lets start with the R&D spend. ZTE has suggested it has spent roughly $900 million on R&D for the first six months of 2019, a 14.5% ratio of the total revenues for the period. This is an increase from the 12.8% share of the same period of 2018, with the new figure just ahead of the 13.8% share of revenues (estimate) Huawei allocated to R&D last year. The domestic rival has promised to increase this figure by 15-20% for 2019, though the overall percentage will not be known until the full year financial figures are known.

In comparison, Ericsson said it attributed 18.5% of net sales revenue to R&D over the course of 2018, a figure which increased to 18.7% by the end of the first six months of 2019. At Nokia, 18.4% of net sales revenues were directed towards the R&D department for the first six months of this year.

This part of the business has largely been focusing on the development of basic operating systems, distributed databases and core chipsets most recently. The company has completed the design and mass production of the 7nm chipsets, while it is currently undergoing the R&D phase for 5nm chipsets.

All this work has resulted in 3,700 5G patents being granted to the firm, though this number might notably increase in the near future. ZTE has also said it is partnering with various Chinese universities to source 5,000 new employees to bolster the R&D ranks. Once again, these are numbers which are being cast into the public domain to enhance the reputation of the business at a time where vendors are facing scrutiny at an unprecedented level.

Of course, when we are talking about creating a perception of stability and reliability, as well as increased scrutiny, you have to discuss security.

ZTE might have managed to avoid US aggression over the last couple of months, Huawei has been the primary target, but as a partly state-owned entity, such questions will never be that far away. This is where the cybersecurity centres will play an important role.

Opened in Nanjing, Rome and Brussels, the cybersecurity centres will allow potential customers to test and validate the security credentials of the firm prior to installing any equipment or software in the network. Some will not be convinced this is a fool-proof way to ensure resilience, though it is an act of transparency which the industry and governments have been crying out for.

The result of this work is 60 memorandums of understanding (MoU) with telcos around the world, 50 5G demonstrations in 20 industry verticals, 300 strategic collaborations and 200 5G products to date.

It is often easy to overlook ZTE and designate the firm as a poor man’s version of 5G network infrastructure, but the numbers justify inclusion at the top table. The challenge which ZTE now faces it making prominent strides into Western markets, the very ones which are getting twitchy over security and price today.

UK Gov launches Round Three of cyber security skills initiative

The Department of Digital, Culture, Media and Sport (DCMS) has launched a new campaign to attract a broader array of talent into the work of cyber security.

This is the third-round of funding for the Cyber Skills Immediate Impact Fund (CSIIF), with training providers able to access up-to £100,000 of government funding to work with employers and design training programmes which retrain a diverse range of individuals for a career in cyber security.

“This latest round of funding demonstrates our commitment to make sure the UK’s cyber security industry has a skilled and diverse workforce and, through our new Cyber Security Council, there are clear paths for those wishing to join the profession,” said Cyber Security Minister Nigel Adams.

“It’s fundamental that cyber security is seen as a nationally recognised and established profession with clear career pathways,” said Simon Edwards, IET Director of Governance and External Engagement.

“With cyber skills shortages already emerging at every level, we are committed to working with the Government and the National Cyber Security Centre on delivering the rapid, yet capable development of specialist cyber skills to meet the growing needs of the industry, manage risk and secure the next generation of talent.”

Alongside this funding, the Institution of Engineering and Technology (IET) has been selected to help design and deliver new UK Cyber Security Council to coordinate the existing professional landscape. The aim will be to create an accessible career path, which is appealing to those entering the workforce.

This is the challenge which the UK is facing; a shortage of skilled workers to address specialised tasks which are emerging in the digital economy. While cyber security might not be a new concept, though as it is one which has been ignored by industry for years, this under-preparedness has been passed onto the workforce.

Recent research from DCMS suggest 54% of businesses in the UK have a basic technical cyber security skills gap. The biggest areas seem to be forensic analysis, penetration testing, security architecture and using threat analysis insight.

Interestingly enough, while this is a promising initiative to retrain workers and provide a boost to the workforce, some of the building blocks are still missing; the UK education system and the national curriculum is still to focused on traditional and classical topics, and not on skills and vocations which will create the workforce of tomorrow which is needed today.

Take coding as an example. There are schools where ICT, where coding is an element, is a compulsory topic at GCSE, but these are not the majority. The workplace of the future is going to be increasingly digital, and if the UK Government envisions a continued shortage of competent digital employees, surely reforming the curriculum would be a good step-forward. Perhaps these subjects which drive potential employees towards data science, software engineering and cybersecurity, should be make compulsory by default.

This is a positive step-forward, though retraining schemes like this are reactive. A long-term, sustainable solution to the skills shortage would be to address the challenge at the root.