Brits have chosen "a flawed and outdated cybersecurity model to convince themselves that they can manage the risk that Chinese intelligence services could use Huawei’s access to UK telco networks to insert bad code."
"5G decisions reflect one of those quietly pivotal moments that crystallise a change in world affairs."
"This is partly because the technology itself promises to be revolutionary, connecting not just humans but every device with a chip in it with super-fast, high-bandwidth and low-latency communications."
"That means if you have the keys to 5G networks, you will be trusted with the nervous system running down the backbone of every country which uses your gear and contracts you to service it."
"That includes critical infrastructure and safety-critical systems on which the lives and livelihoods of our citizens depend—traffic, power, water, food supply and hospitals."
"I was part of the team in the Australian Signals Directorate that tried to design a suite of cybersecurity controls that would give the government confidence that hostile intelligence services could not leverage their national vendors to gain access to our 5G networks."
"We developed pages of cybersecurity mitigation measures to see if it was possible to prevent a sophisticated state actor from accessing our networks through a vendor. But we failed."
"Cybersecurity is all about raising the costs for the attacker. Network access through vendors—which need to be all over 5G networks to maintain their equipment—effectively reduces the access cost to zero."
"With 5G, all network functionality is virtualised and takes place within a single cloud environment. That means there is no physical or logical separation between the core and edge of the network."
"The reality is mature 5G networks actually require the collapse of the core–edge distinction. 5G can only reach its potential for speed and low latency if sensitive functions can happen at the edge of the network close to the customer."
"In mature 5G networks, sensitive data and functions will be distributed throughout the network in a dynamic way which will be impossible to govern with certainty."
"Leaving aside the obvious point that digital sovereignty and the integrity of critical infrastructure are priceless, I have not seen any independent analysis of the impact of excluding Chinese vendors from 5G."
"Old-style cybersecurity evolved to deal with threats from outside the network. The ecosystem itself was trusted, and cybersecurity’s job was limited to protecting that ecosystem from external bad actors. But none of this works if the threat is inside your network."
"When you are one update away from being owned, a code review cannot provide any confidence that the code you checked reflects the code in your network."
"Even with expensive oversight by cleared personnel, it would be hard to spot malware developed by a top-notch intelligence agency, especially when the network is down and your customers are screaming."
"the fundamental issue is one of trust between nations in cyberspace. Over the past decade, the Chinese Communist Party has destroyed that trust through its scaled and indiscriminate hacking of foreign networks and its determination to direct and control Chinese tech companies."
"China wants it both ways—to be treated by the same rules as other countries but to break those rules when it suits."
"It’s simply not reasonable to expect that Huawei would refuse a direction from the Chinese Communist Party, especially one backed by law."
"The ability to compel Chinese vendors of 5G is a strategic capability for China’s intelligence services. Huawei’s competitive offerings in a revolutionary technology like 5G are an unsurpassable opportunity. And China has demonstrated ample malign intent in cyberspace."
"So, if your telcos have a 5G operation and maintenance contract with a company beholden to the intelligence agencies of a foreign state, and that state does not share your interests, you need to consider the risk that you are paying a fox to babysit your chickens."
