Landmark panel on Chinese spying fears, attack attribution, and the cyber skills arena
Any differences about Huawei were minimized when representatives of the Five Eyes intelligence alliance joined together on stage during the CyberUK conference in Glasgow recently.
During the first ever UK-hosted Five Eyes conference panel, senior officers at GCHQ and the NSA appeared alongside their peers from Australia, Canada, and New Zealand, to talk about threat intelligence sharing and the skills shortage, as well as the extent of the national security threat posed by Chinese telecoms equipment supplier Huawei.
Leaked reports from the UK’s National Security Council, a cabinet sub-committee chaired by Prime Minister Theresa May, suggested that a decision had been taken to source “non-core” 5G infrastructure from Huawei in spite of objections from several senior ministers.
The US has blocked any use of Huawei’s kit in its 5G infrastructure out of concerns that radio antenna and base station kit from the Chinese firm could become a conduit for spying. Australia has applied a similar ban, leading to appearances (at least) that the UK was out of step with its partners.
The suspicion is that the UK might be weighing economic factors and the possibility of smoothing the path for a post-Brexit trade deal with China ahead of other concerns about Huawei’s security engineering practices.
Ciaran Martin, chief executive of the UK’s National Cyber Security Centre, sought to minimize differences between the Five Eyes on whether or not to permit usage Huawei’s kit.
“There’s way more that unites us than any differences,” Martin said. “I’m not going to shirk the current debate around telecommunications and 5G… [but] there’s a lot more to 5G security than whether particular companies get particular contracts – there’s a whole framework of improvements we need to make.”
“You’re looking at the united Five Eyes panel… we can and have coped with various differences in the past,” Martin added.
Rob Joyce, a senior cyber security advisor to the director of the NSA, said all Five Eyes members recognized the threat from “nations that want to come at our critical infrastructure”.
“We in the US are not going to have Huawei in our most sensitive networks,” he said. “What I see is a discussion playing out about where [abouts] do you define sensitive networks, where they start and end.”
Scott MacLeod, an assistant director-general at the Australian Signals Directorate (ASD), added: “Each country has different environments that they operate within and our infrastructures are [all] different.”
Scott Jones, head of the Canadian Centre for Cyber Security, said: “Telecoms is the basis, but there are other critical infrastructures we have to protect.”
The Five Eyes is an intelligence sharing alliance between Australia, Canada, New Zealand, the UK, and the USA.
For most of its history the alliance operating in the shadows, but greater transparency over recent years, partly precipitated by the revelations from Edward Snowden, have led to a higher public profile for its members and arguably greater openness.
The cyber spymasters said that one of the areas that is changing most rapidly is incident response, partly because of the need to brief commercial firms involved in the provision of components of critical national infrastructure.
Many incidents come to the ASD through its partnership with industry.
McLeod commented: “It’s very rare any one of us is facing an incident that is unique but will often have a lot more knowledge in our [intelligence] communities. Getting that information out fast so that the rest [of industry] can protect their own environments or react is important.”
“The speed of getting things out is one of the things that has changed in the Five Eyes community,” he added.
The NSA’s Joyce said one challenge is setting classification levels of intelligence and distilling things down to advice that can be both widely shared (at least among industry) and actionable.
Sources and methods still need to be kept secret, however the risk calculus has changed because of a realization that information security intelligence that isn’t shared with the commercial world is close to “useless”, according to Joyce.
A question of attribution
One aspect of incident response is attack attribution.
The NSA’s Joyce said that simply hardening systems to repel attacks is insufficient. Evidence based attribution can be used to bring criminal prosecutions against individuals, or to apply diplomatic sanctions in order to deter attacks.
Making complaints against North Korea or Russia may seem like a waste of time to some, if not Western intel agencies.
Joyce argued: “There’s so much as stake for the things we’ve connected on, the things we rely on – whether it’s our critical infrastructure or our financial wellbeing.
“We have to establish norms – there’s a small set of countries not behaving within international norms. There are countries that are attacking other countries in cyberspace or who are stealing wealth to avoid sanctions – they are literally bank robbing – it’s a small group.”
Joyce singled out Russian propaganda and election interference campaigns, China’s theft of intellectual secrets, and Iranian attacks on its neighbor’s infrastructure systems, as well as alleged North Korean attacks against the reserves of banks and digital currency exchanges.
“We have to be comfortable in saying it’s not acceptable,” he concluded.
The NCSC’s Martin said attribution can help industry to understand risks as well as promote action.
“If we put out an alert based on an attack and say [to industry], ‘Can you fix it?’, you get a certain response. But if you say, ‘This is Russia’ then you get a bigger response,” Martin explained.
In addition, attack attribution sometimes (but not always) has an effect on adversarial behavior, he added.
MacLeod commented: “Attribution is not trivial. There are people who think they understand attribution, but it’s very complex. It’s a very high bar for us, and we feed the information to the government and they make the decision on public attribution.”
The panel concluded with a discussion on cyber skills.
Jan Thornborough, unit manager of outreach at the New Zealand National Cyber Security Centre, said it was keen to demonstrate diversity leadership to the wider industry by recruiting more women, through initiatives such as graduate programs, and by creating a working environment that is open and welcoming to the LGBTQ community.
“We need to dispel some myths around cybersecurity,” she said. “Cybersecurity skills are not [just] technical skills.”
“We’ve got to get rid of the stereotype of the ‘hooded hacker’,” she added. “There isn’t just one path into cybersecurity – there are different educational paths that people can take, and [with that] you add a richness and diversity to the organization that may not have been previously seen.”
The Canadian Centre for Cyber Security’s Jones said: “We try to encourage more diversity, and we hire [people with] more diverse skills. Everybody just assumes you need a computer science degree or some heavy mathematics [to work for an intel agency].”
“Some of our best cyber analysts are social scientists: you need to make it real, and to put it in the context of the society – not in the context of technology. Of course, we have computer scientists as well. We need diversity of thought and opinion,” he added
MacLeod said: “One of the big things we have done is remunerate properly – and it’s not just pay, but also involves provision of training and career development more generally.”
The ASD’s work with academic institutions to “talent spot and get the right people in the door”. The intel agency also has various programs targeting schools and children of all ages.
“If we are educating for what we see now, we are failing,” he explained. “We really need to understand what the challenges will be in the next three to five years. The problems will be very different.”
In the cybersecurity world things are moving so quickly that we need a “three-month PhD”, he joked.
“[The challenge is] how do we help the academic side of the house move to a faster pace and get those people through who will support the ecosystem, not just for us, but for the whole of Australia?” MacLeod said.
“Right now all that we’re doing is stealing from each other… we’re [just] poaching each other’s workforces and that’s not sustainable.”
NSA’s Joyce agreed: “I think we have a scaling problem. We are all short of the talent we need – rather than focus on the top of the pyramid, we have to expand the base.”
“We need to get women and minorities recruited. We have a lot of efforts in the US, including a range of summer camps,” he added.
The NCSC’s Martin said: “We are passionate about skills – both the quantum and diversity of skills.”
“Let’s not be despondent,” Martin added, arguing that the skills shortage can be bridged.
“People say the skill situation is so bad, we just can’t do anything about it – but give it a go. You’ll be surprised what people can do, whether it’s through formal [academic] training or on the job.”
“We’ve got to use the people we’ve got as well as develop the next generation… so give it a go and don’t despair if you don’t have the right skills right now,” he concluded.