The national security council is right not to ban huawei, but that is only the start | thearticle

The carefully crafted National Security Council decision on Huawei and 5G seems a sensible balance between the national security interests involved, as well as economic and diplomatic

objectives. But it deals with only one of the security issues around 5G. Banning Huawei from selling into the UK market at all would have sent a disturbing signal that, as a matter of

principle, post-Brexit global Britain was turning its back on China, the second largest economy on the planet, as well as further narrowing the choices open to our mobile telecoms companies

at a time when we should be encouraging a resilient and diverse supply base. A decision to allow trading with another country has never implied endorsement of its political system. China is

no exception.   In practical terms, especially given Huawei’s existing role in 3G and 4G networks, banning them altogether would have significantly delayed the delivery of the advanced

mobile networks the UK really needs, as well as affecting the roll-out of superfast full fibre networks. But Huawei remains a high risk vendor and the restrictions to be imposed are

necessary, including confining their share of the market to a maximum of 35 per cent for each of the four telecoms companies, while excluding Huawei equipment from the so-called management

plane controlling the overall network and from providing base stations around sensitive locations.  There is a danger, now that this long-awaited government decision has been taken, that

Parliamentary and public interest in future network security will quickly fade. The reality remains that the threat of hostile action against our critical infrastructures continues, and

could worsen as adversaries evolve new attacks and ways to evade our security measures. Sensible choice of vendor and monitoring of supply chains are only part of what is needed to keep us

safe. There is a real struggle to come to maintain adequate security in the future and reassure our allies that we are managing the genuine risk to all our interests involved in the security

of 5G and other advanced technology.  Principal among those risks will be vulnerability to malicious interference. There will be more nations and non-state groups with the capability, and

the motive, to be able to disrupt life in the UK. That problem is not just about the hackers of the Chinese People’s Liberation Army. There are many others to watch out for. We have already

seen sophisticated attacks on networks by Russian groups, including attacks on US election infrastructure and on the Ukrainian electricity supply system serving Kiev. Over $1billion of

damage was caused to Western companies by the NotPetya worm that escaped into the wild after a Russian group used it against a Ukrainian target. And there are others, including the North

Koreans and Iranians.  In the jargon of the intelligence world, the “Internet of Things” greatly expands the attack surface, providing opportunities for crime, espionage, sabotage and

subversion to pervert internet technology (forming a handy acronym, the CESSPIT). The 5G mobile networks will offer the greater bandwidth to carry data communications to and from all these

new devices, and the connected infrastructure of “smart cities” in which traffic management, utilities and public services are managed through the use of huge volumes of real-time data.  And

with 5G many of these applications will be working in near real time. Without that advanced connectivity, it will not be safe to have remote medical diagnosis and surgery, driverless

vehicles or parcel deliveries by drone, to cite gleams in the eyes of the industry.  At the same time, hostile espionage will continue and must be defended against, including by use of

strong end to end encryption on the applications running on the future 5G. It is already the case that the highly classified defence networks, and those serving the Five Eyes intelligence

relationship, do not and should not use Huawei equipment. The Advanced Persistent Threat actors, such as the Chinese and Russian groups, have already had significant espionage successes,

achieved independently of the nationality of origin of the equipment in the networks. The attackers have largely succeeded through human fallibility: through, for example, exploiting

so-called zero-day vulnerabilities, through systems not being patched, poor password discipline on the part of users, and through resistance to adopting two factor authentication. Another

method is for the attacker to manipulate human psychology with personalised “spearfishing” emails (often using information scraped from social media) that makes clicking on the embedded

malicious link almost irresistible. What parent, knowing a child was on a skiing holiday, would not open, probably without thinking, an email about an accident on the piste? Who would not

click on the link purporting to show a photo of the youngster with leg in plaster? Now is the time to double down on cyber security education, advice to companies and institutions and to the

public about what it takes to live safely in the 21st century. Going beyond the 5G issue, that campaign should also tackle improving understanding of the information warfare and

“surveillance capitalism” to which we are so vulnerable. We also need tighter regulation of critical national infrastructure, for security as well as for safety and fair competition. The

architecture of these future networks and the coding of their software and control systems will have to be of an altogether higher order than we are used to. Rigorous testing regimes by

OFCOM, with the full technical assistance of the NCSC, are essential. Finally, we must continue to invest in the intelligence capability to be able to trace and attribute attacks, so that

adversaries are in no doubt they will be exposed, and the consequences will be severe. The government needs to join with allies in signalling that we will respond to hostile acts in

cyberspace as we would to any other threat to our national interests. They need to know that we will respond as we choose, using all necessary means — diplomatic, informational, military,

and economic — as international law allows.