The Irish gov has released its Electronic Communications Security Measures (ECSMs), effectively a reaction to risks in #5G technologies and networks. Here's a summary of what it does say ....
Ireland’s Risk Assessment concluded that nation-state actors pose the greatest risk to networks. It looks like technologies that are not granted exceptions must be ripped and replaced by 2027. Is this a ban on high-risk vendors, if the bar is very high??
There are serious risks affecting #5G networks, in particular risks arising from poorly written or malicious code, supply chain risks, particularly those arising from high risk suppliers and the risk of third country or State interference.
The Irish assessment broadly agrees with the EU assessment, which aligns with the US, UK, Australian, Canadian, New Zealand, French and other security bodies.
The ECSMs should be seen as the absolute bare bones minimum level of security that should be implemented. The ECSMs will evolve over time, and operators should be mindful of this in their choices of technologies.
Primary legislation will be required for this. Something I have pointed out time and time again.
The operators are going to be given some breathing room to prepare their networks (this wouldn't have been needed if we done what needed to be done in the first place).
The ECSMs do not ban a specific vendor, and operators will be able to select any vendor as long as they meet the criteria outlined in the ECSMs.
Where operators have a number of critical infrastructural services/buildings (hospitals etc) as customers they will be required to have "state-of-the-art level of security controls"
The costs of all this are to be covered by the operators. Which is interesting, the wording paraphrased is "you should have saw this coming if you picked a high risk vendor".
The ECSMs reiterate that an employee of a high-risk vendor could be manipulated, influenced or ordered by their country to damage or otherwise compromise our networks.
It recommends that vendor access to the equipment be extremely limited and constantly monitored - similar concerns were raised in another EU member-state where it was alleged Huawei were running riot in a network
The risk of edge devices has been highlighted and a number of security requirements have been outlined, including not letting untrusted devices on to their networks.
The ECSMs acknowledge (at last) that vendor diversity is necessary, warning that trade sanctions could impact the ability for networks to be maintained - a key reason why the UK banned #Huawei
The ESCMs acknowledge two points here: Shoddy hardware and software engineering and state directed attacks or insertion of malicious code - these were included in the EU Toolkit.
It also acknowledges that the mobile operators cannot consider themselves the experts on what is safe and not safe and they need to recognise this.
Operators will be required to take a holistic approach to supply chain risk mitigation - something that killed Huawei's chances in multiple markets.
Vendors will be required to notify operators of security vulnerabilities. What does this mean for Chinese companies who have to tell their gov first, who then decide if they can or cannot tell their customers?
Irish operators will be required to develop a diversification strategy which outlines their procurement plans and measures which mitigate the risks associated with dependency on a single vendor
Carriers will be required to source network equipment and management software from reputable vendors in terms of quality of equipment and future evolution and support in line with ECSM 009 - ouch
So that's it in a nutshell. There's some excellent stuff in this and some stuff that will be worrying for some Irish carriers, maybe they should have done what the Canadian carriers did, and not put money ahead of national security.
You can have your say on the consultation on #5G security and the ECSMs here: gov.ie/en/consultatio…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
A number of elements in this are refreshing to hear acknowledged by the @DF_COS - I am sure there’s a lot more topics he wished to cover. Whilst the military are aware of the threats, our politicians are slightly aware our civil service is in utter denial. thetimes.co.uk/article/1e2998…
The Dept of Defence needs actual experts. The Dept of Taoiseach and the NSAC too. The NCSC needs strategists not just code warriors.
Key gov depts such as comms, agriculture and Health should have designated Defence Liaison SMEs too who can work towards…
Integrating and enhancing the national security strategy whenever it sees the light of day.
We need a whole of gov approach to national security.
Since 2016 the French security services, the SGDSN, raised significant concerns over the growing dominance of CCP connected vehicles systems, especially those that will be paired to #5G networks with Chinese hardware. Now their fears are coming to pass: techwireasia.com/2020/05/huawei…
Background: Since 2014 #Huawei has been engaging several European car manufactures to explore rolling out Huawei GPS technology for both autonomous vehicles, connected vehicles and GPS assisted navigation.
In 2016 French car manufacturer Groupe PSA signed a deal with Huawei called "Push to Pass" strategy for 2016 - 2021. #Huawei technology would allow car manufacturers will be able to track, in real-time, the location of a vehicle, and retain the data. A major #DataProtection issue
To understand why so many are highlighting the Chinese cameras in Leinster House, one must first recognise that China does not do business or espionage like the West. There's no separation between industry sectors the CCP deems strategically important.
The #IOT, #5G, #AI and #SmartCities sectors are integral to China. These sectors have billions of dollars pumped into them from Chinese government central and regional funds and are controlled centrally by the CCP, with the CCP placing key personnel into these companies.
One other area of interest to the Chinese government is #BigData - and boy do they have the opportunity to gather as much of this as possible thanks to the West. This data is used to forecast and predict actions, reactions of markets, industry and people - most importantly people
A Thread: Key points of the UK #HCSEC#Huawei Oversight report and the implications:
1. HCSEC has been running for 8 years - 5 years testing
Examining Huawei and their operations, coding and security for a long time. In that time Huawei has basically slow-balled the process.
2. New additional risks with Huawei identified
These compound the previous risks of binary equivalence, and sloppy coding. Not to mention delays in translating firmware upgrades etc into English which slows the process down
2a. The report identified extensive non-adherence to basics ecure coding practices, including Huawei’s own internal standard, mandated since 2013