A zero-trust approach to cyber security

Stronger cyber defences and global rules are better than one-eyed geopolitical rivalry

Originally published June 28, 2021, by the Lowy Institute in The Interpreter

Amid the steady deterioration of the US-China relationship in recent years, China has become the focus of a new narrative of cyber risks, with one company targeted in particular, China’s champion of 5G technology, Huawei.

Australia was the first place to ban Huawei from a 5G rollout, in 2018. At the time, the intelligence advice was that Australia lacked capabilities to mitigate the elevated risks of 5G connectivity. To be sure, new tech connecting smart devices and networks at high speed will generate many more points of vulnerability to cyber-attacks. Following the Australian decision, the US not only banned Huawei on (as yet unproven) claims of espionage but has embarked on a campaign to block supplies of advanced semiconductors to many Chinese firms and it is advocating wholesale de-coupling from Chinese tech.

But is simply branding China a risk, and campaigning to block its technological rise, sustainable in the long run? Or might there be better ways to manage the complex risks of an interconnected digital future?

The usually unspoken irony about the espionage fears in relation to Huawei is that the US and its Five Eyes partners do exactly what they are accusing China of doing. There is nothing new about espionage, it’s often referred to as the second oldest profession. The primary argument against Huawei, that the Chinese state could direct the firm to do its bidding, appears on the face of it a reasonable fear, as indeed it might equally be a reasonable fear in relation to the US and other countries. The difference, of course, is that China may be unlikely to produce an Edward Snowden to reveal its secrets anytime soon.

Yet, state-sponsored cyber-attacks are not usually conducted in collaboration with telecommunications carriers, but more commonly by hacking in without invitation. That underlines why top-to-bottom cyber security ought to be supplier-blind. After all, cyber-attacks could come at any time from any direction, including states, criminal organisations and dedicated hackers.

So we shouldn’t pat ourselves on the backs too fast that all is solved by banning this or that company or blaming this or that superpower. It is understandable that, in the absence of strong cyber defences, Australia and a number of others have chosen simply to avoid the hypothetical risk posed by China, by banning its leading supplier of 5G equipment and services. But the Huawei debate, wrapped up in the current geopolitical contest, could be a distraction from the need to mount comprehensive cyber defences and prevent authorities from taking a pragmatic, sustainable global approach to a global problem.

Notably, Huawei has fought back, including with legal actions and opening up its equipment and source codes for scrutiny in testing centres around the world, including Belgium, Canada, Germany and the UK. It offered one to Australia, but was rebuffed. This month it opened, in Dongguan, China, the “world’s largest” cyber security and privacy protection transparency centre, which claims to offer scrutiny of how Huawei prevents backdoors, malware and malicious behaviour.

But this attempt to answer Huawei’s critics is providing an engineering answer to a geopolitical problem. The real issue is plummeting trust in China. Yet whether China engages in cyber-attacks is not the real question; it surely does, just like the US, Russia and many others. In cyber security, zero-trust in all actors is the more appropriate strategy.

“Zero-trust” is how all of the experts I have interviewed in my research on cyber risks have characterised a robust approach, to defend against threats no matter where their source.

Governments, firms and individuals everywhere need to invest much more in cyber security. Unfortunately, there may never be 100% cyber security (just as in any other form of security) but in the 21st century all nations arguably need a “Cyber Security Force” as an integral part of national defence.

A Cyber Security Force should have the capacity to activate firewalls with lightning speed and to protect national data without snooping on it. That is why it should not be housed within national intelligence agencies, who play cyber offence, but as a part of national defence. It should have the power to demand inspection of all equipment and source codes at all times, and the capacity to take over a network if the supplier firm refuses to cooperate with a cyber security baseline.

A Cyber Security Force should ceaselessly scan for malicious actors based on zero-trust, proportionate risk assessment. It would need to be nimble, deploying up-to-date technical capabilities to block cyber-attacks, not only on critical public infrastructure but also working with the private sector to protect against major attacks that could cripple the economy. If an adversary engages in cyber confrontation or attack, a Cyber Security Force may need to threaten or mount a counter-attack, but it should be as transparent as a military deployment and subject to the same scrutiny, calling out bad actors with evidence rather than just assumptions. It would be about the state stepping up, with capabilities equal to the challenge, regulating where necessary, deterring and defending always.

However even strengthened national cyber defence is not enough. We also need global solutions if we are to make the globally connected technologies of the future as safe as possible. At the international level, rigorous and enforceable rules are needed, along with norms and standards for cyber security. Reliable and secure governance will be essential for the cross-border interdependence implicit in the Internet of Things.

As difficult as this is to swallow for some, developing global rules will mean pragmatically working with China, given its likely continued central role in global value chains. The great lost opportunity of the post-Cold War era was the failure of the single remaining superpower to invest in strengthening the United Nations system. But it’s time to consider a new multilateral framework to tackle the security and other challenges of new tech.

A change of administration in the US could be the opportunity to bring the US back to the table on pragmatic rule-making at the multilateral level. Just as the Biden administration is engaging with China on climate change and other key global challenges, it’s time to grapple with a less ideological and more pragmatic approach to cyber risks.

It’s time to consider a “World Cyber Security Organisation” to manage and enforce rules for a safe digital economy. Such an organisation, strengthening and coordinating the currently disbursed and disjointed attempts to build rules, could be empowered to relentlessly develop and enforce proportionate security standards. It would need to be blind to the country of origin of tech firms. It could oversee testing centres, bringing an equal measure of scrutiny to all firms in all countries to ensure compliance. If the two competing superpowers would agree to that, it would be a major step forward indeed. Without their commitment, of course, it cannot happen.

That there is no serious discussion about global rules for cyber security, at a time when digital transformation is about to connect us all in unprecedented ways, is extraordinary to say the least.

It may seem unrealistic to propose a new multilateral approach at this time. Rule-making and enforcement also seemed unrealistic in the early years of the US-Soviet geopolitical competition, but the International Atomic Energy Agency and a slew of arms control agreements became essential in building trust and preventing disaster, as well as ultimately playing a role in ending the Cold War. As Ronald Reagan used to say, trust but verify.

A zero-trust approach to cyber security, pragmatic and defensive rather than ideological, together with effective global rules for new tech, could yet demonstrate that, as in previous eras, it is possible to co-exist, verify and enforce minimum standards to protect us from harmful actors. The alternative –a world of weaponised tech and anarchic law of the cyber jungle – is unthinkable, but through a lack of thought we are drifting in that direction.

7 views0 comments

Recent Posts

See All