Are new ‘smart devices’ cybersecurity laws strong enough?
In October 2012, the U.S. House of Representatives’ intelligence committee released its investigative report on the U.S. national security issues posed by Chinese telecommunications companies Huawei and ZTE. This was the first shot across the bow at activities by the PRC – Peoples’ Republic of China – and their espionage activities.
A month later, President Biden signed the Secure Equipment Act, a law that gives the Federal Communications Commission the authority to deny equipment authorisations from its “Covered List” of equipment that poses an unacceptable risk to national security.
Although parts of the report were mocked as unfairly singling out China, it has become prescient in light of recent high profile attacks like SolarWinds – where suspected Russian-backed hackers compromised SolarWinds’s updates to their widely used Orion product, which in turn infected an estimated 18,000 Orion users – not to mention the increase in suspected Kremlin-backed cyber activity and the risk of state-sponsored attacks stemming from the ongoing Russian invasion of Ukraine.
What this tells us is that security is far from being just about the hardware, it’s also about the software. While Chinese hardware could pass an intensive examination for backdoors or specific exploitable flaws, malware hidden deep inside updates delivered months later could provide China the access they desire to US networks.
Implications for the UK
Likewise, the UK government also banned the use of Huawei gear in the development and deployment of new 5G networks from September 2021, instructing UK telecoms providers to remove Huawei from the country’s 5G networks.
The UK government went a step further with the Telecommunications (Security) Act 2021, which sets out specific security measures that telecoms providers must take to protect their networks and services. As well, the UK government recently launched a consultation with the nation’s telecoms firms about the legal instruments to mandate the removal of all Huawei equipment from 5G networks, with proposed measures for fibre broadband operators to stop installing Huawei equipment affected by US sanctions, including any equipment for which the supply chain or manufacturing process has been altered due to the impact of US sanctions.
But now, as the threat of future cyber attacks becomes a probability rather than a possibility for many UK organisations, the focus in the UK has grown to include building resilience against malware.
This is particularly the case now that Russia has invaded Ukraine and the UK has announced sanctions on Russia. Many organisations are concerned about malicious activity from Russian-backed attackers, and wondering what steps they should take.
What can UK businesses do to build their resilience?
Attacks such as the previously mentioned SolarWinds and the one on Microsoft’s Exchange Servers – which exploited flaws in Microsoft’s email software and affected more than 30,000 organisations – showed how vulnerabilities in third-party products and services can be exploited. If this happens, it could affect hundreds of thousands of organisations at the same time and cripple critical infrastructure, as we saw in the Colonial Pipeline attack last year which caused a shutdown of its 5,550-mile gasoline pipeline.
At a minimum, UK organisations must meet legal standards for cyber security or risk incurring fines. But basic legal compliance should not be the only course of action. A successful breach of security would far outweigh a fine for non-compliance.
Businesses need to implement robust cyber practices and reinforce user awareness and make sure everyone knows their roles and responsibilities in keeping their data and networks secure. It’s crucial to revisit incident response (IR) procedures and ensure all required resources are available and IR personnel are fully briefed. All software should be patched and running the latest versions.
In addition, organisations need to ensure they have the right cyber protection in place. Software supply chain attacks exploit the trust between vendors and users and their reliance on whitelisting, which grants access to named entities and denies it to everyone else. When attackers compromise software that is signed and certified, users are exposed if they do not have adequate protection.
Out of 33,000 SolarWinds customers using Orion, 18,000 were infected with malware. Orion users with automated threat prevention, detection and response technology were able to stay protected from the SolarWinds threat.
The UK government has stated it aims to, “implement one of the toughest telecoms security regimes in the world.” Part of that plan includes their 5G Diversification Strategy, which seeks to ensure the UK’s telecoms supply chain is resilient to future trends and threats.
This attention to the supply chain comes as no surprise, as we’ve seen that it’s one thing to make parts, but it’s another to control the entire supply chain, particularly when it comes to the deployment of critical technology. The SolarWinds attack showed just how damaging it can be when even a single part of the software supply chain is compromised.
Laws such as the Secure Equipment Act and the UK Telecommunications (Security) Act 2021 are necessary tools to level an unfair playing field, but it’s up to businesses themselves to do their part and ensure their cybersecurity capability is up to the challenge.
Morgan Wright is an internationally recognised expert on cybersecurity strategy, cyberterrorism, national security, and intelligence. He currently serves as a Senior Fellow at The Center for Digital Government, Chief Security Advisor for SentinelOne, and the chief technology analyst for Fox News and Fox Business.