Even supposedly ‘trusted’ members of the supply chain introduce cyber risk. The real challenge for avoiding network vulnerability isn’t a ban on Huawei, rather it lies in how we get better visibility of what is going on across our complex digital infrastructures, and how we identify security problems when they occur.
The debate around 5G has brought to the world’s attention the inherent security challenge that complex, global supply chains present.
Whilst much of the conversation to date has focused on trying to decipher the intentions of one particular supplier, namely Chinese telecommunications giant Huawei for network vulnerability this is somewhat of a red herring.
Is Huawei really a threat to an organisation’s mobile security?
That is not to say these concerns are not legitimate: when any hardware or software supplier is embedded within critical infrastructure, we are right to consider whether their kit contains backdoors that could allow that supplier to be privy to sensitive data. And, we cannot ignore that nation states around the world have increasingly turned to the cyber realm to garner intelligence, wield influence and disrupt their adversaries’ infrastructure.
However, our globalised economy has long relied on trading with many different nations and thrives on connectivity. Western consumers now all rely on technology that was designed or manufactured many miles from their homes. We use smartphones made in China, and our personal information is scattered around various data centres in India or the Philippines, via hosted service providers and call centres. Data is now fluid, mobile and global – that ship has sailed.
Global supply chains mean that those with criminal intent have many points of vulnerability that may be tested in the pursuit of compromising sensitive systems or equipment. It also means that attackers have more places to hide: the complexity of a global supply chain is their friend.
The Huawei situation: the legal and intellectual property implications for businesses
The problem that must be tackled by the governments and businesses urgently is not so much whether to cut out a single vendor – however legitimate the concerns about their integrity may be – but how to manage the pervasive risk that suppliers from all over the world brings. Too many organisations feel blind to what’s going on in their own systems – let alone the risk that their customers or suppliers might introduce.
The good news is that artificial intelligence is making major steps forward in this area. Today, the most cyber mature organisations are already relying on AI systems to continually monitor their risk across globally distributed networks, made up of multiple third parties across the world.
Recently, this technology automatically fought back against an attack targeting a film production studio in Los Angeles, after the account details of a contact at a trusted supplier had been compromised. After reading through the contact’s historical correspondence with an employee at the studio, the criminal learnt the typical tone and style of their conversations and sent a plausible reply to the employee’s last email. The email, practically indistinguishable from genuine communication, included a malicious link with the motivation of obtaining executive salary information. The AI stepped in without human intervention, recognising the email as suspicious, preventing any data from being leaked out of the organisation.
This story demonstrates that it is a false hope to imagine that a ban on Huawei would guarantee a network invulnerable to cyber-attack. Even supposedly ‘trusted’ members of the supply chain introduce cyber risk. The real challenge lies in how we get better visibility of what is going on across our complex digital infrastructures, and how we identify security problems when they occur.
The complexity is such that AI will be necessary, not a nice-to-have, to make sense of the noise of the network. We need to get on the front foot if we want to sleep better at night, embracing the reality of global supply chains, while proactively managing the risk.
Andrew Tsonchev, Director of Technology, Darktrace