Cybersecurity Is Failing Big-Time and This Is Hard to Fix

By Paul Budde
Paul Budde

It has become clear that having a big cybersecurity war room is not enough to deliver true end-to-end security throughout the complex networks, systems and structures on which our modern society is based. Furthermore, looking at the forever changing draconian government interventions in this space, it is also obvious that they are often stabbing in the dark. The real problem is far more structural and complicated, there are no quick regulatory fixes, and companies like the telcos and the governments are unwilling to tackle these difficult issues.

Rather than following a centralised approach to cybersecurity, we need to have a decentralised approach. This would also address the current political problems around the use of Chinese equipment for the 5G network.

It is hard to believe that national cybersecurity can be undermined by telecoms equipment manufacturers. Certainly there is genuine concern about the lack of independent governance institutions in China, but if it comes to the crunch, any government can force national companies — such as telcos — to adhere to their instructions. The American government has also looked at installing 'backdoor' tools in certain telecoms equipment that potentially could be used for spying purposes.

Furthermore, these interferences are totally independent of what equipment is used. Any telecoms infrastructure from one or multiple providers can be 'hacked' into by governments or others, such as criminal organisations.

So, yes, if we can put pressure on the Chinese government to build stronger independent institutions and adhere to global rules and norms, the better it will be for us all. But we shouldn't be too hypocritical here as Australia, for example, is introducing some of the most draconian cybersecurity laws in the world — laws that allow for government agencies to force companies to hand over any information and provide any assistance they ask for, all under the threat of severe penalties. Nevertheless, I do recognise the danger of authoritarian regimes such as the one in China with now a president for life and a 'social credit system'. These developments are directly opposite of an open society that we need for a trustworthy connected and hopefully cyber secure world.

But banning China and introducing draconian regulations is not going to assist in creating better cybersecurity. Security is poor at best within all major — national and global — communications networks. They have been cobbled together over decades and security is poor, or even non-existent, at many different levels. Looking at telecoms networks shows what can happen if the companies are trying to upgrade and update their systems. A simple software glitch can cascade and bring the network down, sometimes for prolonged periods. So obviously, and understandably, there is a great reluctance on the part of telcos to start working inside their networks to add more and broader levels of cybersecurity.

In order to increase cybersecurity, it needs to be embedded in every single part of the network, all the way to the edge. This means that we need to look at very specific security developments in relation to content, data and its analytics, data centres, infrastructure, modems, handsets, browsers, chipsets, protocol security and so on. Perhaps the best-protected area within the network is the billing system — indication that commercial security is still seen as more important than societal security.

Will this broader approach to cybersecurity happen any time soon? I doubt it. And draconian regulation, legislation and trade bans are not going to change this because of the abovementioned complexity of the telecoms network. Relying on these networks — be it 5G or otherwise — to provide cybersecurity is a lost battle. For the foreseeable future, the best security is encryption at the very source.

So banning Chinese equipment is not going to make any difference to national security. If China wants to spy they can use any network or any network equipment connected to the global telecoms network. As the ban on Chinese gear started in the USA, it is safe to say that this most likely has more to do with punishing the Chinese — because they are increasing their economic power around the globe — than it has to do with protecting against cyber-spying. Furthermore, no government has yet provided any evidence that Chinese equipment has been used for that purpose.

The Chinese ban might work against the improvement of cybersecurity as some of the best and cost-effective equipment needed for the new hi-tech 5G networks is no longer available to the network operators where governments have banned Chinese equipment.

In order to create a safer world, all nations need to work together and combined we need to make sure that also authoritarian regimes adhere to the same rules. The global importance of telecoms was the reason for it to become the very first United Nations institution back in 1865 and this institution — the ITU — still exists, highlighting the ongoing global importance of telecommunication. We should build on this to ensure that our ever more complex telecommunication infrastructure keeps delivering the best economic and social outcomes for all.

In looking at how to best address cybersecurity, it would also be useful to look at how the commercially-oriented cyber surveillance systems evolved as pioneered by Google and which are now in widespread use throughout the marketing, advertising, PR and political propaganda channels. They are highly successful in the use of all available hi-tech. What we can learn from them, on the one hand, is the transformational power of these new tools, and on the other the need for cybersecurity, including privacy security and insurances of positive societal outcomes.

By Paul Budde, Managing Director of Paul Budde Communication. Paul is also a contributor of the Paul Budde Communication blog located here.

Related topics: Cybersecurity, Internet Governance, Policy & Regulation

Comments