Internet of Things

No pan-EU Huawei ban as Commission endorses 5G risk mitigation plan

Posted by | 5g, Asia, computer security, Europe, european commission, european union, huawei, Internet of Things, Mobile, mobile network operators, network management, telecommunications, telemedicine, Trump administration, UK government, United Kingdom, United States | No Comments

The European Commission has endorsed a risk mitigation approach to managing 5G rollouts across the bloc — meaning there will be no pan-EU ban on Huawei. Rather it’s calling for Member States to coordinate and implement a package of “mitigating measures” in a 5G toolbox it announced last October and has endorsed today.

“Through the toolbox, the Member States are committing to move forward in a joint manner based on an objective assessment of identified risks and proportionate mitigating measures,” it writes in a press release.

It adds that Member States have agreed to “strengthen security requirements, to assess the risk profiles of suppliers, to apply relevant restrictions for suppliers considered to be high risk including necessary exclusions for key assets considered as critical and sensitive (such as the core network functions), and to have strategies in place to ensure the diversification of vendors”.

The move is another blow for the Trump administration — after the UK government announced yesterday that it would not be banning so-called “high risk” providers from supplying 5G networks.

Instead the UK said it will place restrictions on such suppliers — barring their kit from the “sensitive” ‘core’ of 5G networks, as well as from certain strategic sites (such as military locations), and placing a 35% cap on such kit supplying the access network.

However the US has been amping up pressure on the international community to shut the door entirely on the Chinese tech giant, claiming there’s inherent strategic risk in allowing Huawei to be involved in supplying such critical infrastructure — with the Trump administration seeking to demolish trust in Chinese-made technology.

Next-gen 5G is expected to support a new breed of responsive applications — such as self-driving cars and personalized telemedicine — where risks, should there be any network failure, are likely to scale too.

But the Commission take the view that such risks can be collectively managed.

The approach to 5G security continues to leave decisions on “specific security” measures as the responsibility of Member States. So there’s a possibility of individual countries making their own decisions to shut out Huawei. But in Europe the momentum appears to be against such moves.

“The collective work on the toolbox demonstrates a strong determination to jointly respond to the security challenges of 5G networks,” the EU writes. “This is essential for a successful and credible EU approach to 5G security and to ensure the continued openness of the internal market provided risk-based EU security requirements are respected.”

The next deadline for the 5G toolbox is April 2020, when the Commission expects Member States to have implemented the recommended measures. A joint report on their implementation will follow later this year.

Key actions being endorsed in the toolbox include:

  •     Strengthen security requirements for mobile network operators (e.g. strict access controls, rules on secure operation and monitoring, limitations on outsourcing of specific functions, etc.);
  •     Assess the risk profile of suppliers; as a consequence,  apply relevant restrictions for suppliers considered to be high risk – including necessary exclusions to effectively mitigate risks – for key assets defined as critical and sensitive in the EU-wide coordinated risk assessment (e.g. core network functions, network management and orchestration functions, and access network functions);
  •     Ensure that each operator has an appropriate multi-vendor strategy to avoid or limit any major dependency on a single supplier (or suppliers with a similar risk profile), ensure an adequate balance of suppliers at national level and avoid dependency on suppliers considered to be high risk; this also requires avoiding any situations of lock-in with a single supplier, including by promoting greater interoperability of equipment;

The Commission also recommends that Member States should contribute towards increasing diversification and sustainability in the 5G supply chain and co-ordinate on standardization around security objectives and on developing EU-wide certification schemes.

Powered by WPeMatico

MicroEJ is taking over IoT on Earth and beyond

Posted by | Android, Developer, esa, European Space Agency, Flash, Google, Internet of Things, IoT, Iridium, Java, satellite communications, smartphone, smartphones, Space, TC | No Comments

The internet of things (IoT) market is expanding at a rate where distinguishing it as a separate category is beginning to seem a bit absurd. Increasingly, new products — and updates of existing ones — are smart and/or connected. One company is changing the fundamental calculus behind this shift by lowering the barrier considerably when it comes to what it costs to make something ‘smart,’ both in terms of the upfront bill of materials, along with subsequent support and development costs.

MicroEJ CEO Fred Rivard took me through his company’s history from its founding in 2004 until now. Much of those earlier years were spent in development, but since around 2012 or so, the French company has been deploying for IoT devices what Android is to smartphones — a flexible, extensible platform that can operate on a wide range of hardware profiles while being relatively easy to target for application and feature developers. MicroEJ takes the ‘code once, deploy anywhere’ maxim to the extreme, since its platform is designed from the ground up to be incredibly conservative when it comes to resource consumption, meaning it can run on hardware with as little as one-tenth or more the bill of materials cost of running more complex operating platforms — like Android Things, for instance.

“We take category of device where currently, Android is too big,” Rivard said. “So it doesn’t fit, even though you would like to have the capability to add software easily devices, but you can’t because Android is too big. The cost of entry is roughly $10 to $15 per unit in hardware and bill of material — that’s the cost of Android […] So it would be great to be able to run an Android layer, but you can’t just because of the cost. So we managed to reduce that cost, and to basically design a very small layer that’s1000 times smarter than Android.”

Powered by WPeMatico

Whatever happened to the Next Big Things?

Posted by | Amazon, Android, Apple, articles, artificial intelligence, blockchain, chatbot, computing, Elon Musk, Emerging-Technologies, Ford, Internet of Things, machine learning, Magic Leap, Microsoft, Opinion, phoenix, Prime Air, self-driving car, smartphone, smartphones, Symbian, TC, technology, waymo | No Comments

In tech, this was the smartphone decade. In 2009, Symbian was still the dominant ‘smartphone’ OS, but 2010 saw the launch of the iPhone 4, the Samsung Galaxy S, and the Nexus One, and today Android and iOS boast four billion combined active devices. Today, smartphones and their apps are a mature market, not a disruptive new platform. So what’s next?

The question presupposes that something has to be next, that this is a law of nature. It’s easy to see why it might seem that way. Over the last thirty-plus years we’ve lived through three massive, overlapping, world-changing technology platform shifts: computers, the Internet, and smartphones. It seems inevitable that a fourth must be on the horizon.

There have certainly been no shortage of nominees over the last few years. AR/VR; blockchains; chatbots; the Internet of Things; drones; self-driving cars. (Yes, self-driving cars would be a platform, in that whole new sub-industries would erupt around them.) And yet one can’t help but notice that every single one of those has fallen far short of optimistic predictions. What is going on?

You may recall that the growth of PCs, the Internet, and smartphones did not ever look wobbly or faltering. Here’s a list of Internet users over time: from 16 million in 1995 to 147 million in 1998. Here’s a list of smartphone sales since 2009: Android went from sub-1-million units to over 80 million in just three years. That’s what a major platform shift looks like.

Let’s compare each of the above, shall we? I don’t think it’s an unfair comparison. Each has had champions arguing it will, in fact, be That Big, and even people with more measured expectations have predicted growth will at least follow the trajectory of smartphones or the Internet, albeit maybe to a lesser peak. But in fact…

AR/VR: Way back in 2015 I spoke to a very well known VC who confidently predicted a floor of 10 million devices per year well before the end of this decade. What did we get? 3.7M to 4.7M to 6M, 2017 through 2019, while Oculus keeps getting reorg’ed. A 27% annual growth rate is OK, sure, but a consistent 27% growth rate is more than a little worrying for an alleged next big thing; it’s a long, long way from “10xing in three years.” Many people also predicted that by the end of this decade Magic Leap would look like something other than an utter shambles. Welp. As for other AR/VR startups, their state is best described as “sorry.”

Blockchains: I mean, Bitcoin’s doing just fine, sure, and is easily the weirdest and most interesting thing to have happened to tech in the 2010s; but the entire rest of the space? I’m broadly a believer in cryptocurrencies, but if you were to have suggested in mid-2017 to a true believer that, by the end of 2019, enterprise blockchains would essentially be dead, decentralized app usage would still be measured in the low thousands, and no real new use cases would have arisen other than collateralized lending for a tiny coterie — I mean, they would have been outraged. And yet, here we are.

Chatbots: No, seriously, chatbots were celebrated as the platform of the future not so long ago. (Alexa, about which more in a bit, is not a chatbot.) “The world is about to be re-written, and bots are going to be a big part of the future” was an actual quote. Facebook M was the future. It no longer exists. Microsoft’s Tay was the future. It really no longer exists. It was replaced by Zo. Did you know that? I didn’t. Zo also no longer exists.

The Internet of Things: let’s look at a few recent headlines, shall we? “Why IoT Has Consistently Fallen Short of Predictions.” “Is IoT Dead?” “IoT: Yesterday’s Predictions vs. Today’s Reality.” Spoiler: that last one does not discuss how reality has blown previous predictions out of the water. Rather, “The reality turned out to be far less rosy.”

Drones: now, a lot of really cool things are happening in the drone space, I’ll be the first to aver. But we’re a long way away from physical packet-switched networks. Amazon teased Prime Air delivery way back in 2015 and made its first drone delivery way back in 2016, which is also when it patented its blimp mother ship. People expected great things. People still expect great things. But I think it’s fair to say they expected … a bit more … by now.

Self-driving cars: We were promised so much more, and I’m not even talking about Elon Musk’s hyperbole. From 2016: “10 million self-driving cars will be on the road by 2020.” “True self-driving cars will arrive in 5 years, says Ford“. We do technically have a few, running in a closed pilot project in Phoenix, courtesy of Waymo, but that’s not what Ford was talking about: “Self-driving Fords that have no steering wheels, brake or gas pedals will be in mass production within five years.” So, 18 months from now, then. 12 months left for that “10 million” prediction. You’ll forgive a certain skepticism on my part.

The above doesn’t mean we haven’t seen any successes, of course. A lot of new kinds of products have been interesting hits: AirPods, the Apple Watch, the Amazon Echo family. All three are more new interfaces than whole new major platforms, though; not so much a gold rush as a single vein of silver.

You may notice I left machine learning / AI off the list. This is in part because it definitely has seen real qualitative leaps, but a) there seems to be a general concern that we may have entered the flattening of an S-curve there, rather than continued hypergrowth, b) either way, it’s not a platform. Moreover, the wall that both drones and self-driving cars have hit is labelled General Purpose Autonomy … in other words, it is an AI wall. AI does many amazing things, but when people predicted 10M self-driving cars on the roads next year, it means they predicted AI would be good enough to drive them. In fact it’s getting there a lot slower than we expected.

Any one of these technologies could define the next decade. But another possibility, which we have to at least consider, is that none of them might. It is not an irrefutable law of nature that just as one major tech platform begins to mature another must inevitably start its rise. We may well see a lengthy gap before the next Next Big Thing. Then we may see two or three rise simultaneously. But if your avowed plan is that this time you’re totally going to get in on the ground floor — well, I’m here to warn you, you may have a long wait in store.

Powered by WPeMatico

Many smart home device makers still won’t say if they give your data to the government

Posted by | arlo, Cloud, Gadgets, google nest, hardware, Internet of Things, law enforcement, privacy, Samsung, Security, smart devices, technology, transparency report | No Comments

A year ago, we asked some of the most prominent smart home device makers if they have given customer data to governments. The results were mixed.

The big three smart home device makers — Amazon, Facebook and Google (which includes Nest) — all disclosed in their transparency reports if and when governments demand customer data. Apple said it didn’t need a report, as the data it collects was anonymized.

As for the rest, none had published their government data-demand figures.

In the year that’s past, the smart home market has grown rapidly, but the remaining device makers have made little to no progress on disclosing their figures. And in some cases, it got worse.

Smart home and other internet-connected devices may be convenient and accessible, but they collect vast amounts of information on you and your home. Smart locks know when someone enters your house, and smart doorbells can capture their face. Smart TVs know which programs you watch and some smart speakers know what you’re interested in. Many smart devices collect data when they’re not in use — and some collect data points you may not even think about, like your wireless network information, for example — and send them back to the manufacturers, ostensibly to make the gadgets — and your home — smarter.

Because the data is stored in the cloud by the devices manufacturers, law enforcement and government agencies can demand those companies turn over that data to solve crimes.

But as the amount of data collection increases, companies are not being transparent about the data demands they receive. All we have are anecdotal reports — and there are plenty: Police obtained Amazon Echo data to help solve a murder; Fitbit turned over data that was used to charge a man with murder; Samsung helped catch a sex predator who watched child abuse imagery; Nest gave up surveillance footage to help jail gang members; and recent reporting on Amazon-owned Ring shows close links between the smart home device maker and law enforcement.

Here’s what we found.

Smart lock and doorbell maker August gave the exact same statement as last year, that it “does not currently have a transparency report and we have never received any National Security Letters or orders for user content or non-content information under the Foreign Intelligence Surveillance Act (FISA).” But August spokesperson Stephanie Ng would not comment on the number of non-national security requests — subpoenas, warrants and court orders — that the company has received, only that it complies with “all laws” when it receives a legal demand.

Roomba maker iRobot said, as it did last year, that it has “not received” any government demands for data. “iRobot does not plan to issue a transparency report at this time,” but it may consider publishing a report “should iRobot receive a government request for customer data.”

Arlo, a former Netgear smart home division that spun out in 2018, did not respond to a request for comment. Netgear, which still has some smart home technology, said it does “not publicly disclose a transparency report.”

Amazon-owned Ring, whose cooperation with law enforcement has drawn ire from lawmakers and faced questions over its ability to protect users’ privacy, said last year it planned to release a transparency report in the future, but did not say when. This time around, Ring spokesperson Yassi Shahmiri would not comment and stopped responding to repeated follow-up emails.

Honeywell spokesperson Megan McGovern would not comment and referred questions to Resideo, the smart home division Honeywell spun out a year ago. Resideo’s Bruce Anderson did not comment.

And just as last year, Samsung, a maker of smart devices and internet-connected televisions and other appliances, also did not respond to a request for comment.

On the whole, the companies’ responses were largely the same as last year.

But smart switch and sensor maker Ecobee, which last year promised to publish a transparency report “at the end of 2018,” did not follow through with its promise. When we asked why, Ecobee spokesperson Kristen Johnson did not respond to repeated requests for comment.

Based on the best available data, August, iRobot, Ring and the rest of the smart home device makers have hundreds of millions of users and customers around the world, with the potential to give governments vast troves of data — and users and customers are none the wiser.

Transparency reports may not be perfect, and some are less transparent than others. But if big companies — even after bruising headlines and claims of co-operation with surveillance states — disclose their figures, there’s little excuse for the smaller companies.

This time around, some companies fared better than their rivals. But for anyone mindful of their privacy, you can — and should — expect better.

Powered by WPeMatico

Now even the FBI is warning about your smart TV’s security

Posted by | chromecast, digital television, Federal Bureau of Investigation, Gadgets, hardware, Internet of Things, Multimedia, privacy, Samsung, Security, smart tv, streaming services, technology, telecommunications | No Comments

If you just bought a smart TV on Black Friday or plan to buy one for Cyber Monday tomorrow, the FBI wants you to know a few things.

Smart TVs are like regular television sets but with an internet connection. With the advent and growth of Netflix, Hulu and other streaming services, most saw internet-connected televisions as a cord-cutter’s dream. But like anything that connects to the internet, it opens up smart TVs to security vulnerabilities and hackers. Not only that, many smart TVs come with a camera and a microphone. But as is the case with most other internet-connected devices, manufacturers often don’t put security as a priority.

That’s the key takeaway from the FBI’s Portland field office, which just ahead of some of the biggest shopping days of the year posted a warning on its website about the risks that smart TVs pose.

“Beyond the risk that your TV manufacturer and app developers may be listening and watching you, that television can also be a gateway for hackers to come into your home. A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the backdoor through your router,” wrote the FBI.

The FBI warned that hackers can take control of your unsecured smart TV and in worst cases, take control of the camera and microphone to watch and listen in.

Active attacks and exploits against smart TVs are rare, but not unheard of. Because every smart TV comes with their manufacturer’s own software and are at the mercy of their often unreliable and irregular security patching schedule, some devices are more vulnerable than others. Earlier this year, hackers showed it was possible to hijack Google’s Chromecast streaming stick and broadcast random videos to thousands of victims.

In fact, some of the biggest exploits targeting smart TVs in recent years were developed by the Central Intelligence Agency, but were stolen. The files were later published online by WikiLeaks.

But as much as the FBI’s warning is responding to genuine fears, arguably one of the bigger issues that should cause as much if not greater concerns are how much tracking data is collected on smart TV owners.

The Washington Post earlier this year found that some of the most popular smart TV makers — including Samsung and LG — collect tons of information about what users are watching in order to help advertisers better target ads against their viewers and to suggest what to watch next, for example. The TV tracking problem became so problematic a few years ago that smart TV maker Vizio had to pay $2.2 million in fines after it was caught secretly collecting customer viewing data. Earlier this year, a separate class action suit related to the tracking again Vizio was allowed to go ahead.

The FBI recommends placing black tape over an unused smart TV camera, keeping your smart TV up-to-date with the latest patches and fixes, and to read the privacy policy to better understand what your smart TV is capable of.

As convenient as it might be, the most secure smart TV might be one that isn’t connected to the internet at all.

Powered by WPeMatico

European risk report flags 5G security challenges

Posted by | 5g, 5g security, Europe, european union, Internet of Things, Mobile, mobile networks, risk management, Security, telecommunications, United Kingdom | No Comments

European Union Member States have published a joint risk assessment report into 5G technology which highlights increased security risks that will require a new approach to securing telecoms infrastructure.

The EU has so far resisted pressure from the U.S. to boycott Chinese tech giant Huawei as a 5G supplier on national security grounds, with individual Member States such as the UK also taking their time to chew over the issue.

But the report flags risks to 5G from what it couches as “non-EU state or state-backed actors” — which can be read as diplomatic code for Huawei. Though, as some industry watchers have been quick to point out, the label could be applied rather closer to home in the near future, should Brexit comes to pass…

Some parts of the 5G report on risk of non-EU cyberattacks may accidentally gain a new unexpected meaning after #Brexit (https://t.co/o7gyV0hqCv) https://t.co/VgU30kRz4p

— Lukasz Olejnik (@lukOlejnik) October 9, 2019

Back in March, as European telecom industry concern swirled about how to respond to US pressure to block Huawei, the Commission stepped in to issue a series of recommendations — urging Member States to step up individual and collective attention to mitigate potential security risks as they roll out 5G networks.

Today’s risk assessment report follows on from that.

It identifies a number of “security challenges” that the report suggests are “likely to appear or become more prominent in 5G networks” vs current mobile networks — linked to the expanded use of software to run 5G networks; and software and apps that will be enabled by and run on the next-gen networks.

The role of suppliers in building and operating 5G networks is also noted as a security challenge, with the report warning of a “degree of dependency on individual suppliers”, and also of too many eggs being placed in the basket of a single 5G supplier.

Summing up the effects expected to follow 5G rollouts, per the report, it predicts:

  • An increased exposure to attacks and more potential entry points for attackers: With 5G networks increasingly based on software, risks related to major security flaws, such as those deriving from poor software development processes within suppliers are gaining in importance. They could also make it easier for threat actors to maliciously insert backdoors into products and make them harder to detect.
  • Due to new characteristics of the 5G network architecture and new functionalities, certain pieces of network equipment or functions are becoming more sensitive, such as base stations or key technical management functions of the networks.
  • An increased exposure to risks related to the reliance of mobile network operators on suppliers. This will also lead to a higher number of attacks paths that might be exploited by threat actors and increase the potential severity of the impact of such attacks. Among the various potential actors, non-EU States or State-backed are considered as the most serious ones and the most likely to target 5G networks.
  • In this context of increased exposure to attacks facilitated by suppliers, the risk profile of individual suppliers will become particularly important, including the likelihood of the supplier being subject to interference from a non-EU country.
  • Increased risks from major dependencies on suppliers: a major dependency on a single supplier increases the exposure to a potential supply interruption, resulting for instance from a commercial failure, and its consequences. It also aggravates the potential impact of weaknesses or vulnerabilities, and of their possible exploitation by threat actors, in particular where the dependency concerns a supplier presenting a high degree of risk.
  • Threats to availability and integrity of networks will become major security concerns: in addition to confidentiality and privacy threats, with 5G networks expected to become the backbone of many critical IT applications, the integrity and availability of those networks will become major national security concerns and a major security challenge from an EU perspective.

The high level report is a compilation of Member States’ national risk assessments, working with the Commission and the European Agency for Cybersecurity. It’s couched as just a first step in developing a European response to securing 5G networks.

“It highlights the elements that are of particular strategic relevance for the EU,” the report says in self-summary. “As such, it does not aim at presenting an exhaustive analysis of all relevant aspects or types of individual cybersecurity risks related to 5G networks.”

The next step will be the development, by December 31, of a toolbox of mitigating measures, agreed by the Network and Information Systems Cooperation Group, which will be aimed at addressing identified risks at national and Union level.

“By 1 October 2020, Member States – in cooperation with the Commission – should assess the effects of the Recommendation in order to determine whether there is a need for further action. This assessment should take into account the outcome of the coordinated European risk assessment and of the effectiveness of the measures,” the Commission adds.

For the toolbox a variety of measures are likely to be considered, per the report — consisting of existing security requirements for previous generations of mobile networks with “contingency approaches” that have been defined through standardisation by the mobile telephony standards body, 3GPP, especially for core and access levels of 5G networks.

But it also warns that “fundamental differences in how 5G operates also means that the current security measures as deployed on 4G networks might not be wholly effective or sufficiently comprehensive to mitigate the identified security risks”, adding that: “Furthermore, the nature and characteristics of some of these risks makes it necessary to determine if they may be addressed through technical measures alone.

“The assessment of these measures will be undertaken in the subsequent phase of the implementation of the Commission Recommendation. This will lead to the identification of a toolbox of appropriate, effective and proportionate possible risk management measures to mitigate cybersecurity risks identified by Member States within this process.”

The report concludes with a final line saying that “consideration should also be given to the development of the European industrial capacity in terms of software development, equipment manufacturing, laboratory testing, conformity evaluation, etc” — packing an awful lot into a single sentence.

The implication is that the business of 5G security will need to get commensurately large to scale to meet the multi-dimensional security challenge that goes hand in glove with the next-gen tech. Just banning a single supplier isn’t going to cut it.

Powered by WPeMatico

HTC’s new CEO discusses the phonemaker’s future

Posted by | 5g, Apple, AT&T, augmented reality, Chanel, cher wang, China, deutsche telekom, Disrupt, Disrupt SF 2019, Ericsson, Exodus, Facebook, Google, hardware, HTC, huawei, Internet of Things, Louis-Vuitton, Mobile, mobile devices, Nokia, smartphones, sprint, T-Mobile, telecommunications, Verizon, Virtual reality, Yves Maitre | No Comments

On September 17, HTC announced that cofounder Cher Wang would be stepping down as CEO. In her place, Yves Maitre stepped into the role of Chief Executive, after more than a decade at French telecom giant, Orange.

It’s a tough job at an even tougher time. The move comes on the tail of five consecutive quarterly losses and major layoffs, including a quarter of the company’s staff, which were let go in July of last year.

It’s a far fall for a company that comprised roughly 11 percent of global smartphone sales, some eight years ago. These days, HTC is routinely relegated to the “other” column when these figures are published.

All of this is not to say that the company doesn’t have some interesting irons in the fire. With Vive, HTC has demonstrated its ability to offer a cutting edge VR platform, while Exodus has tapped into an interest in exploring the use of blockchain technologies for mobile devices.

Of course, neither of these examples show any sign of displacing HTC’s once-booming mobile device sales. And this January’s $1.1 billion sale of a significant portion of its hardware division to Google has left many wondering whether it has much gas left in the mobile tank.

With Wang initially scheduled to appear on stage at Disrupt this week, the company ultimately opted to have Maitre sit in on the panel instead. In preparation for the conversation, we sat down with the executive to discuss his new role and future of the struggling Taiwanese hardware company.

5G, XR and the future of the HTC brand

Powered by WPeMatico

UK to toughen telecoms security controls to shrink 5G risks

Posted by | 5g, broadband, Ciaran Martin, computer security, Conservative Party, Cyberwarfare, Europe, huawei, Internet of Things, jeremy wright, Mobile, mobile device, National Cyber Security Centre, national security council, ofcom, Security, supply chain, TC, telecommunications, telecoms infrastructure, UK government, United Kingdom, United States, us government, vodafone | No Comments

Amid ongoing concerns about security risks posed by the involvement of Chinese tech giant Huawei in 5G supply, the U.K. government has published a review of the telecoms supply chain, which concludes that policy and regulation in enforcing network security needs to be significantly strengthened to address concerns.

However, it continues to hold off on setting an official position on whether to allow or ban Huawei from supplying the country’s next-gen networks — as the U.S. has been pressurizing its allies to do.

Giving a statement in parliament this afternoon, the U.K.’s digital minister, Jeremy Wright, said the government is releasing the conclusions of the report ahead of a decision on Huawei so that domestic carriers can prepare for the tougher standards it plans to bring in to apply to all their vendors.

“The Review has concluded that the current level of protections put in place by industry are unlikely to be adequate to address the identified security risks and deliver the desired security outcomes,” he said. “So, to improve cyber security risk management, policy and enforcement, the Review recommends the establishment of a new security framework for the UK telecoms sector. This will be a much stronger, security based regime than at present.

“The foundation for the framework will be a new set of Telecoms Security Requirements for telecoms operators, overseen by Ofcom and government. These new requirements will be underpinned by a robust legislative framework.”

Wright said the government plans to legislate “at the earliest opportunity” — to provide the regulator with stronger powers to to enforcement the incoming Telecoms Security Requirements, and to establish “stronger national security backstop powers for government.”

The review suggests the government is considering introducing GDPR-level penalties for carriers that fail to meet the strict security standards it will also be bringing in.

First policy response will be ‘soft’, common cybersecurity standards. Then regulations, with strict standards and #GDPR like fines. New powers allowing to compel telecoms to do something. And work to increase diversity. pic.twitter.com/nBLWneFUDK

— Lukasz Olejnik (@lukOlejnik) July 22, 2019

“Until the new legislation is put in place, government and Ofcom will work with all telecoms operators to secure adherence to the new requirements on a voluntary basis,” Wright told parliament today. “Operators will be required to subject vendors to rigorous oversight through procurement and contract management. This will involve operators requiring all their vendors to adhere to the new Telecoms Security Requirements.

“They will also be required to work closely with vendors, supported by government, to ensure effective assurance testing for equipment, systems and software, and to support ongoing verification arrangements.”

The review also calls for competition and diversity within the supply chain — which Wright said will be needed “if we are to drive innovation and reduce the risk of dependency on individual suppliers.”

The government will therefore pursue “a targeted diversification strategy, supporting the growth of new players in the parts of the network that pose security and resilience risks,” he added.

“We will promote policies that support new entrants and the growth of smaller firms,” he also said, sounding a call for security startups to turn their attention to 5G.

Government would “seek to attract trusted and established firms to the UK market,” he added — dubbing a “vibrant and diverse telecoms market” as both good for consumers and for national security.

“The Review I commissioned was not designed to deal only with one specific company and its conclusions have much wider application. And the need for them is urgent. The first 5G consumer services are launching this year,” he said. “The equally vital diversification of the supply chain will take time. We should get on with it.”

Last week two U.K. parliamentary committees espoused a view that there’s no technical reason to ban Huawei from all 5G supply — while recognizing there may be other considerations, such as geopolitics and human rights, which impact the decision.

The Intelligence and Security Committee also warned that what it dubbed the “unnecessarily protracted” delay in the government taking a decision about 5G suppliers is damaging U.K. relations abroad.

Despite being urged to get a move on the specific issue of Huawei, it’s notable that the government continues to hold off. Albeit, a new prime minister will be appointed later this week, after votes of Conservative Party members are counted — which may be contributing to ongoing delay.

“Since the US government’s announcement [on May 16, adding Huawei and 68 affiliates to its Entity List on national security grounds] we have sought clarity on the extent and implications but the position is not yet entirely clear. Until it is, we have concluded it would be wrong to make specific decisions in relation to Huawei,” Wright said, adding: “We will do so as soon as possible.”

In a press release accompanying the telecoms supply chain review the government said decisions would be taken about high risk vendors “in due course.”

Earlier this year a leak from a meeting of the U.K.’s National Security Council suggested the government was preparing to give an amber light to Huawei to continue supplying 5G — though limiting its participation to non-core portions of networks.

The Science & Technology Committee also recommended the government mandate the exclusion of Huawei from the core of 5G networks.

Wright’s statement appears to hint that that position remains the preferred one — barring a radical change of policy under a new PM — with, in addition to talk of encouraging diversity in the supply chain, the minister also flagging the review’s conclusion that there should be “additional controls on the presence in the supply chain of certain types of vendor which pose significantly greater security and resilience risks to UK telecoms.”

“Additional controls” doesn’t sound like a euphemism for an out-and-out ban.

In a statement responding to the review, Huawei expressed confidence that it’s days of supplying U.K. 5G are not drawing to a close — writing:

The UK Government’s Supply Chain Review gives us confidence that we can continue to work with network operators to rollout 5G across the UK. The findings are an important step forward for 5G and full fibre broadband networks in the UK and we welcome the Government’s commitment to “a diverse telecoms supply chain” and “new legislation to enforce stronger security requirements in the telecoms sector”. After 18 years of operating in the UK, we remain committed to supporting BT, EE, Vodafone and other partners build secure, reliable networks.”

The evidence shows excluding Huawei would cost the UK economy £7 billion and result in more expensive 5G networks, raising prices for anyone with a mobile device. On Friday, Parliament’s Intelligence & Security Committee said limiting the market to just two telecoms suppliers would reduce competition, resulting in less resilience and lower security standards. They also confirmed that Huawei’s inclusion in British networks would not affect the channels used for intelligence sharing.

A spokesman for the company told us it already supplies non-core elements of U.K. carriers’ EE and Vodafone’s network, adding that it’s viewing Wright’s statement as an endorsement of that status quo.

While the official position remains to be confirmed, all the signals suggest the U.K.’s 5G security strategy will be tied to tightened regulation and oversight, rather than follow a U.S. path of seeking to shut out Chinese tech giants.

Commenting on the government’s telecoms supply chain review in a statement, Ciaran Martin, CEO of the U.K.’s National Cyber Security Centre, said: “As the UK’s lead technical authority, we have worked closely with DCMS [the Department for Digital, Culture, Media and Sport] on this review, providing comprehensive analysis and cyber security advice. These new measures represent a tougher security regime for our telecoms infrastructure, and will lead to higher standards, much greater resilience and incentives for the sector to take cyber security seriously.

“This is a significant overhaul of how we do telecoms security, helping to keep the UK the safest place to live and work online by ensuring that cyber security is embedded into future networks from inception.”

Although, tougher security standards for telecoms combined with updated regulations that bake in major fines for failure suggest Huawei will have its work cut out not to be excluded by the market, as carriers will be careful about vendors as they work to shrink their risk.

Earlier this year a report by an oversight body that evaluates its approach to security was withering — finding “serious and systematic defects” in its software engineering and cybersecurity competence.

Powered by WPeMatico

Huawei 5G indecision is hitting UK’s relations abroad, warns committee

Posted by | 5g, 5g network, China, Conservative Party, Europe, european union, huawei, Internet of Things, Mobile, National Cyber Security Centre, national security council, Security, supply chain, telecommunications, Theresa May, UK government, United Kingdom | No Comments

The U.K.’s next prime minister must prioritize a decision on whether or not to allow Chinese tech giant Huawei to be a 5G supplier, a parliamentary committee has urged — warning that the country’s international relations are being “seriously damaged” by ongoing delay.

In a statement on 5G suppliers, the Intelligence and Security committee (ISC) writes that the government must take a decision “as a matter of urgency.”

Earlier this week another parliamentary committee, which focuses on science and technology, concluded there is no technical reason to exclude Huawei as a 5G supplier, despite security concerns attached to the company’s ties to the Chinese state, though it did recommend it be excluded from core 5G supply.

The delay in the U.K. settling on a 5G-supplier policy can be linked not only to the complexities of trying to weigh and balance security considers with geopolitical pressures but also ongoing turmoil in domestic politics, following the 2016 EU referendum Brexit vote — which continues to suck most of the political oxygen out of Westminster. (And will very soon have despatched two U.K. prime ministers in three years.)

Outgoing PM Theresa May, whose successor is due to be selected by a vote by Conservative Party members next week, appeared to be leaning toward giving Huawei an amber light earlier this year.

A leak to the press from a National Security Council meeting back in April suggested Huawei would be allowed to provide kit, but only for non-core parts of 5G networks — raising questions about how core and non-core are delineated in the next-gen networks.

The leak led to the sacking by May of the then defense minister, Gavin Williamson, after an investigation into confidential information being passed to the media in which she said she had lost confidence in him.

The publication of a government Telecoms Supply Chain Review, whose terms of reference were published last fall, has also been delayed — leading carriers to press the government for greater clarity last month.

But with May herself now on the way out, having agreed in May to step down as PM, the decision on 5G supply is on hold.

It will be down to either Boris Johnson or Jeremy Hunt, the two remaining contenders to take over as PM, to choose whether or not to let the Chinese tech giant supply U.K. 5G networks.

Whichever of the men wins the vote, they will arrive in the top job needing to give their full attention to finding a way out of the Brexit morass — with a mere three months til an October 31 Brexit extension deadline looming. So there’s a risk 5G may not seem as urgent an issue and a decision again be kicked back.

In its statement on 5G supply, the ISC backs the view expressed by the public-facing branch of the U.K.’s intelligence service that network security is not dependent on any one supplier being excluded from building it — writing that: “The National Cyber Security Centre… has been clear that the security of the UK’s telecommunications network is not about one company or one country: the ‘flag of origin’ for telecommunications equipment is not the critical element in determining cyber security.”

The committee argues that “some parts of the network will require greater protection” — writing that “critical functions cannot be put at risk” but also that there are “less sensitive functions where more risk can be carried”, albeit without specifying what those latter functions might be.

“It is this distinction — between the sensitivity of the functions — that must determine security, rather than where in the network those functions are located: notions of ‘core’ and ‘edge’ ate therefore misleading in this context,” it adds. “We should therefore be thinking of different levels of security, rather than a one size fits all approach, within a network that has been built to be resilient to attack, such that no single action could disable the system.”

The committee’s statement also backs the view that the best way to achieve network resilience is to support diversity in the supply chain — i.e. by supporting more competition.

But at the same time it emphasizes that the 5G supply decision “cannot be viewed solely through a technical lens — because it is not simply a decision about telecommunications equipment.”

“This is a geostrategic decision, the ramifications of which may be felt for decades to come,” it warns, raising concerns about the perceptions of U.K. intelligence sharing partners by emphasizing the need for those allies to trust the decisions the government makes.

It also couches a U.K. decision to give Huawei access a risk by suggesting it could be viewed externally as an endorsement of the company, thereby encouraging other countries to follow suit — without paying the full (and it asserts vitally) necessary attention to the security piece.

“The UK is a world leader in cyber security: therefore if we allow Huawei into our 5G network we must be careful that that is not seen as an endorsement for others to follow. Such a decision can only happen where the network itself will be constructed securely and with stringent regulation,” it writes.

The committee’s statement goes on to raise as a matter of concern the U.K.’s general reliance on China as a technology supplier.

“One of the lessons the UK Government must learn from the current debate over 5G is that with the technology sector now monopolised by such a few key players, we are over-reliant on Chinese technology — and we are not alone in this, this is a global issue. We need to consider how we can create greater diversity in the market. This will require us to take a long term view — but we need to start now,” it warns.

It ends by reiterating that the debate about 5G supply has been “unnecessarily protracted” — pressing the next U.K. prime minister to get on and take a decision “so that all concerned can move forward.”

Powered by WPeMatico

No technical reason to exclude Huawei as 5G supplier, says UK committee

Posted by | 5g, Asia, Australia, China, cyber security, Ericsson, Europe, huawei, human rights, Ian Levy, Internet of Things, jeremy wright, Mobile, National Cyber Security Centre, national security, Nokia, privacy, Security, TC, telecommunications, United Kingdom, United States, zte | No Comments

A UK parliamentary committee has concluded there are no technical grounds for excluding Chinese network kit vendor Huawei from the country’s 5G networks.

In a letter from the chair of the Science & Technology Committee to the UK’s digital minister Jeremy Wright, the committee says: “We have found no evidence from our work to suggest that the complete exclusion of Huawei from the UK’s telecommunications networks would, from a technical point of view, constitute a proportionate response to the potential security threat posed by foreign suppliers.”

Though the committee does go on to recommend the government mandate the exclusion of Huawei from the core of 5G networks, noting that UK mobile network operators have “mostly” done so already — but on a voluntary basis.

If it places a formal requirement on operators not to use Huawei for core supply the committee urges the government to provide “clear criteria” for the exclusion so that it could be applied to other suppliers in future.

Reached for a response to the recommendations, a government spokesperson told us: “The security and resilience of the UK’s telecoms networks is of paramount importance. We have robust procedures in place to manage risks to national security and are committed to the highest possible security standards.”

The spokesperson for the Department for Digital, Media, Culture and Sport added: “The Telecoms Supply Chain Review will be announced in due course. We have been clear throughout the process that all network operators will need to comply with the Government’s decision.”

In recent years the US administration has been putting pressure on allies around the world to entirely exclude Huawei from 5G networks — claiming the Chinese company poses a national security risk.

Australia announced it was banning Huawei and another Chinese vendor ZTE from providing kit for its 5G networks last year. Though in Europe there has not been a rush to follow the US lead and slam the door on Chinese tech giants.

In April leaked information from a UK Cabinet meeting suggested the government had settled on a policy of granting Huawei access as a supplier for some non-core parts of domestic 5G networks, while requiring they be excluded from supplying components for use in network cores.

On this somewhat fuzzy issue of delineating core vs non-core elements of 5G networks, the committee writes that it “heard unanimously and clearly” from witnesses that there will still be a distinction between the two in the next-gen networks.

It also cites testimony by the technical director of the UK’s National Cyber Security Centre (NCSC), Dr Ian Levy, who told it “geography matters in 5G”, and pointed out Australia and the UK have very different “laydowns” — meaning “we may have exactly the same technical understanding, but come to very different conclusions”.

In a response statement to the committee’s letter, Huawei SVP Victor Zhang welcomed the committee’s “key conclusion” before going on to take a thinly veiled swiped at the US — writing: “We are reassured that the UK, unlike others, is taking an evidence based approach to network security. Huawei complies with the laws and regulations in all the markets where we operate.”

The committee’s assessment is not all comfortable reading for Huawei, though, with the letter also flagging the damning conclusions of the most recent Huawei Oversight Board report which found “serious and systematic defects” in its software engineering and cyber security competence — and urging the government to monitor Huawei’s response to the raised security concerns, and to “be prepared to act to restrict the use of Huawei equipment if progress is unsatisfactory”.

Huawei has previously pledged to spend $2BN addressing security shortcomings related to its UK business — a figure it was forced to qualify as an “initial budget” after that same Oversight Board report.

“It is clear that Huawei must improve the standard of its cybersecurity,” the committee warns.

It also suggests the government consults on whether telecoms regulator Ofcom needs stronger powers to be able to force network suppliers to clean up their security act, writing that: “While it is reassuring to hear that network operators share this point of view and are ready to use commercial pressure to encourage this, there is currently limited regulatory power to enforce this.”

Another committee recommendation is for the NCSC to be consulted on whether similar security evaluation mechanisms should be established for other 5G vendors — such as Ericsson and Nokia: Two European based kit vendors which, unlike Huawei, are expected to be supplying core 5G.

“It is worth noting that an assurance system comparable to the Huawei Cyber Security Evaluation Centre does not exist for other vendors. The shortcomings in Huawei’s cyber security reported by the Centre cannot therefore be directly compared to the cyber security of other vendors,” it notes.

On the issue of 5G security generally the committee dubs this “critical”, adding that “all steps must be taken to ensure that the risks are as low as reasonably possible”.

Where “essential services” that make use of 5G networks are concerned, the committee says witnesses were clear such services must be able to continue to operate safely even if the network connection is disrupted. Government must ensure measures are put in place to safeguard operation in the event of cyber attacks, floods, power cuts and other comparable events, it adds. 

While the committee concludes there is no technical reason to limit Huawei’s access to UK 5G, the letter does make a point of highlighting other considerations, most notably human rights abuses, emphasizing its conclusion does not factor them in at all — and pointing out: “There may well be geopolitical or ethical grounds… to enact a ban on Huawei’s equipment”.

It adds that Huawei’s global cyber security and privacy officer, John Suffolk, confirmed that a third party had supplied Huawei services to Xinjiang’s Public Security Bureau, despite Huawei forbidding its own employees from misusing IT and comms tech to carry out surveillance of users.

The committee suggests Huawei technology may therefore be being used to “permit the appalling treatment of Muslims in Western China”.

Powered by WPeMatico