A zero-trust approach to cybersecurity
Amid the steadily deteriorating relationship between the United States and China in recent years, China has emerged as the center of a new narrative on cyber risk, with one company targeted in particular, the Chinese tech champion. 5G, Huawei.
Australia was the first country to ban Huawei from deploying 5G in 2018. At the time, the intelligence advice was that Australia lacked the capacity to mitigate the high risks of 5G connectivity. Certainly, new technologies connecting smart devices and high-speed networks will generate many more points of vulnerability to cyber attacks.
Are there better ways to manage the complex risks of an interconnected digital future?
Following the Australian ruling, the US not only banned Huawei on (not yet proven) espionage allegations, but embarked on a campaign to block supplies of advanced semiconductors to many Chinese companies and is advocating wholesale decoupling of Chinese technology.
But is simply brandishing China a risk, and campaigning to block its technological rise, sustainable in the long run? Or are there better ways to manage the complex risks of an interconnected digital future?
The generally unspoken irony of spy fears involving Huawei is that the United States and its Five Eyes partners are doing it. exactly what they accuse China of doing.
Espionage is nothing new, it is often considered the second oldest profession. The primary argument against Huawei, which the Chinese state could order the company to make its offer, appears at first glance to be a reasonable fear, as it could also be a reasonable fear vis-à-vis the United States and other countries. The difference, of course, is that China is unlikely to produce an Edward Snowden for reveal his secrets soon.
Yet state-sponsored cyber attacks are usually not carried out in conjunction with telecom operators, but more often by uninvited third-party hackers. This highlights why top-down cybersecurity should be vendor blind. After all, cyber attacks can come at any time from any direction, including states, organized crime groups, and dedicated hackers.
Huawei has retaliated, including through legal action and opening its equipment and source codes to scrutiny at test centers around the world.
We should therefore not congratulate ourselves too quickly that everything is resolved by banning this or that company or by blaming this or that superpower. It’s understandable that in the absence of strong cyber defenses, Australia and a number of others have simply chosen to avoid the hypothetical risk posed by China by banning its main provider of 5G equipment and services. But the Huawei debate, shrouded in the current geopolitical contest, could distract from the need for comprehensive cyber defenses and prevent authorities from taking a pragmatic and sustainable approach to a global problem.
Notably, Huawei has fought back, including with legal actions and by opening its equipment and source codes to scrutiny in testing centers around the world, in countries such as Belgium, Canada, Germany and the United Kingdom. He offered Australia a test center, but was pushed back. This month, it opened its “world’s largest cybersecurity and privacy transparency center in Dongguan, China,” which claims to offer a close examination of how Huawei prevents backdoors. , malware and malicious behavior.
But this attempt to respond to Huawei’s criticism provides a technical answer to a geopolitical problem. The real problem is the fall in confidence in China. Yet the real question is not whether China engages in cyber attacks; it certainly is, just like the United States, Russia and many others. In cybersecurity, zero trust in all stakeholders is the most appropriate strategy. “Zero-trust” is how experts interviewed in my cyber risk research characterized a robust approach; defend against threats, whatever the source.
Governments, businesses and individuals everywhere need to invest much more in cybersecurity. Unfortunately, there may never be 100% cybersecurity (as with any other form of security), but in the 21st century all nations arguably need a ‘cybersecurity force’ as an integral part of security. National Defense.
A cybersecurity force should have the ability to activate firewalls at lightning speed and protect national data without snooping on it. This is why it should not be housed within national intelligence agencies, which play the role of cybercrime, but within the framework of national defense. It should have the power to require inspection of all equipment and source code at any time, and the ability to take control of a network if the provider company refuses to cooperate with a cybersecurity base.
At the international level, rigorous and enforceable rules are needed, as well as cybersecurity norms and standards.
A cybersecurity force should continually seek out malicious actors based on a zero trust and proportionate risk assessment. It should be agile, deploying advanced technical capabilities to block cyber attacks, not only on critical public infrastructure, but also in collaboration with the private sector to protect against major attacks that could cripple the economy. If an adversary engages in a cyber confrontation or attack, a cybersecurity force may need to threaten or mount a counterattack, but it must be as transparent as a military deployment and subject to the same scrutiny, calling the wrong actors with evidence rather than just assumptions. This would be the escalating state, with capacities up to the challenge, regulating where necessary, deterring and always defending.
However, even stronger national cyber defense is not enough. Global solutions are needed to make the globally connected technologies of the future as secure as possible. At the international level, rigorous and enforceable rules are needed, as well as cybersecurity norms and standards. Reliable and secure governance will be essential for the cross-border interdependence implicit in the Internet of things (IoT).
As hard to swallow for some, developing global rules will require working pragmatically with China, given its probable central role in global value chains. The great lost opportunity of the post-Cold War era has been the failure of the only remaining superpower to invest in strengthening the United Nations system. But it is time to consider a new multilateral framework to deal with security and other challenges of new technologies.
A change of administration in the United States could be an opportunity to bring them back to the table on the development of practical rules at the multilateral level. Just as the Biden administration is engage with China on climate change and other major global challenges, it is time to tackle a less ideological and more pragmatic approach to cyber risks.
It’s time to consider a “World Cyber Security Organization” to manage and enforce the rules for a secure digital economy. Such an organization, strengthening and coordinating the currently scattered and disjointed attempts to establish rules, could be empowered to develop and relentlessly enforce proportionate safety standards. The country of origin of technology companies should be ignored. It could oversee the test centers, bringing an equal measure of control to all companies in all countries to ensure compliance. If the two competing superpowers agreed to this, it would be a big step forward. Without their commitment, of course, this cannot happen.
A world of militarized technology and lawless cyber-jungle is unthinkable.
That there is no serious discussion about the global rules for cybersecurity, at a time when digital transformation is about to connect us all in unprecedented ways, is extraordinary to say the least.
It may seem unrealistic to propose a new multilateral approach at this time. Rule-making and enforcement also seemed unrealistic in the early years of the US-Soviet geopolitical competition, but the International Atomic Energy Agency and a host of arms control agreements became critical in establishing the confidence and disaster prevention, as well as ultimately to play a role in ending the Cold War. As Ronald Reagan used to say, “trust, but verify”.
A zero-trust approach to cybersecurity – pragmatic and defensive rather than ideological – as well as effective global rules for new technologies, could still demonstrate that, as in previous eras, it is possible to coexist, verify and enforce minimum standards to protect citizens from actors. The alternative – a world of militarized technology and anarchic cyber-jungle law – is unthinkable, but due to lack of thinking we are drifting in that direction.