Governments and industry need to “focus on fixes, not fear,” and work out how to build safer 5G networks rather than obsessing about national security concerns leveled at suppliers, according to the National Cyber Security Centre (NCSC).
NCSC boss, Ciaran Martin, told attendees on day three of Infosecurity Europe this morning that the next generation of network infrastructure can be architected in a way that mitigates risks posed by vendors.
Referring to a tabloid headline which claimed Huawei could theoretically turn off all the household appliances in UK smart homes if allowed to build 5G, he argued: “We don’t have to build 5G networks that way and I’d argue we shouldn’t.”
Martin added: “We have to get 5G network security right, and that is a much bigger issue than the national identity of suppliers.
“It would be a real shame if we allowed fear back into cybersecurity. People need to understand the risks, and we, as experts, need to understand and explain how network security can be [implemented] to give a satisfactory level of assurance.”
The UK government has worked hard over the past few years to move from a fear-based approach to cybersecurity to a pragmatic one, he claimed.
Part of the journey towards a more mature approach to cybersecurity means promoting pragmatic ways to tackle threats rather than glamorizing attacks.
“Cybersecurity is not something we should be scared of and not something we should scare people about,” argued Martin. “The first step is to understand that and the diversity of it and [not promote] cybersecurity as a big technical ball of risk that non-technical people can’t understand.”
To help in this, the NCSC has produced a “five questions for boards” document, so that business leaders are better equipped to discuss issues in-depth with CISOs.
“You don’t all have to be cyber experts, but you need to know how to talk to cyber experts,” Martin added.
Quick wins could be had from focusing on improving baseline security, he added, claiming that the notorious state-sponsored Cloudhopper attackers managed to infect some victims using a 19-year-old virus because they were running outdated systems and flat networks.
Martin concluded on a note of optimism, claiming that, unlike the start of the digital revolution 20 years ago, industry experts can see a lot of what’s coming down the road. By working “seriously, dispassionately and transparently,” progress can be made to eradicate structural vulnerabilities, he argued.