The move to limit Huawei to “non core” parts of critical infrastructure signals the UK’s efforts to manage cyber risk to national critical infrastructure and the country’s most sensitive data. The idea is that if the Chinese are going to spy on the UK, they will most likely do this by planting “back doors” — deliberate security holes — into core parts of 5G infrastructure (the bits where communication is being processed). If we keep their kit out of these areas, then we foil the main method of state-sponsored hackers. But the reality is, nation state hackers often just walk through the front door.
GCHQ’s Huawei Cyber Security Evaluation Centre (HCSEC) has been scouring Huawei hardware since 2010, checking every Huawei device destined for use in the UK for backdoors. Whilst software vulnerabilities that plague all technology have been found, there is no sign of any hole that can be conclusively categorised as deliberately or maliciously planted “back doors”.
Backdoors are a legitimate cyber security concern — you can bet your bottom dollar that if state sponsored hackers manage to successfully plant them into technology without anyone noticing, they will exploit them. The GCHQ’s efforts to uncover backdoors is a welcomed pursuit, but it’s not enough to keep us safe from nation state attacks.
Is Huawei really a threat to an organisation’s mobile security?
Nations are unlikely to rely on planting backdoors as their primary method of entry because efforts like the HCSEC can expose holes in hardware relatively easily, and once exposed, attribution is hardly difficult. Consider the case in question: should the Centre find planted backdoors on Huawei hardware, they would know exactly where to point the finger – the game would be up far too quickly. Advanced persistent threats are masters of the long game.
In reality, state-sponsored attackers launch multi-step campaigns, testing several routes, known and novel, to gain access and wipe up their footprints. Once inside, they try to remain undetected for prolonged periods of time, slowly stealing the most valued data or gaining enough knowledge to cause widespread disruption.
What’s more, the most advanced and persistent threats exploit accidental vulnerabilities, often beginning with social engineering techniques and using creative and continuous hacking techniques to gain access to critical systems and, critically, remain undetected.
Five reasons to trust 5G, according to Huawei CTO
State-sponsored hackers don’t need to plant backdoors, because they increasingly make do with the front entrance. The 2015 attack on Ukraine’s power grid that plunged a community into darkness combined the exploitation of known accidental vulnerabilities with spear phishing — spoof emails sent to employees that secretly contained malicious word documents attached. This attack method is more favourable because it is so targeted. Increasingly, we are seeing state-sponsored hackers develop initial access by bribing or blackmailing employees that hold the keys to powerful admin credentials, or even gaining physical access to their target premises.
It is precisely the creativity of nation state attackers that has led to a shift towards the continuous monitoring of risk across globally distributed networks, made up of multiple third parties across the world, using artificial intelligence. The number of entry points and potential movements that must be analysed is simply too high for human security teams; for a growing number of government bodies across the world, behavioural AI systems now do the heavy lifting, understanding and pre-empting the decisions of adversaries at a speed and scale that humans cannot match.
Banning Huawei from the parts of 5G infrastructure where sensitive data lies is an attempt to manage the risk of state-sponsored attacks on critical infrastructure. But to focus the main efforts of our national security strategy on banning one supplier from sensitive parts of the network and scrutinising all of their hardware for carefully planted backdoors leaves us unable to see the wood for the trees.
The bottom line is — we can’t really predict where hackers will poke and prod next in the hope of gaining access to the nation’s critical data and infrastructure. They may plant backdoors – and dismantling every bit of kit will go some way to defending against this technique — but this is just one of a plethora of ways they can get in. Relying on humans taking apart bits of one vendor’s kit and patching vulnerabilities will not be enough to fight this unpredictable threat; our infrastructure must be able to defend itself.