Thursday 27th May 2021, 10:00 (BST)

Cybersecurity in the new era of 5G

  • How does 5G alter the security environment of companies? What are the new  risks and who is responsible for them?
  • How can you bring your security team up to speed on the changes they will be required to make? And is there an increased need to partner with third parties including government and telcos?
  • Do the benefits of 5G outweigh the risks?

Full episode replay

Good morning, everybody. It is 10 o'clock on Thursday morning, so it must be time for another teissTalk. I'm your host, Geoff White, for today's talk me and my co-host Jenny Radcliffe are going to be covering all of the key security topics over the next few months. Today we're going to talk about 5G and cyber security, so that's a chance to gauge in the future and see where 5G is going to take us next.

Thank you, everybody, for joining us. Good to see you all. Good mornings filtering in in the chat tab there if you want to get involved, obviously, there is the chat there. There's also the question panels. If you want to find out some insights into 5G from our panellists today, pop your questions in the panel there. We're also going to be giving away, as we usually do, a teissTalk mug. I'm going to give away, so yesterday my car broke down and is currently sitting in a side street in North London considering what it's done and having a good think about that before I decide whether to take it to the big knacker's yard in the sky for cars. So I'm going to get somebody already said I barely get 4G in my home, 5G doesn't fill me with confidence. Maybe that's something we'll be discussing, Jonte. I'm going to give a teissTalk mug to whoever can guess the make of the car, not the model, but what make it is, because I will never be buying this make of car ever again. Yes, if you can guess which make of car it is you get a teissTalk mug. I've also realised, of course, we do have a potential issue with our teissTalk mugs in that as wonderful as it is to see our returning visitors here to teissTalk, I do worry that we're going to get to saturation point where everybody who's turned up has got a mug, which on the one hand is kind of an Oprah Winfrey moment. And you get a mug and you get a mug, you get a mug. However, we don't want your cupboards filling in with teissTalk mugs. So please do spread the word about teissTalk, if only for the fact that people who join us will probably end up getting a free mug. No, it wasn't a Trabant, they are probably more reliable. Wasn't a VW, was not a Vauxhall. Clearly people have had issues with all of those types of things. Danny suggested we do a teiss dinner service of the teissTalk. teissTalk mugs on sauces. So listen, if you can guess the back of the car, you get a free mug. It is that simple.

On to the subject in hand, 5G and cyber security. Obviously, 5G with all sorts of issues about the technology, lots of things about the technology. But also there's a huge cyber security part to this as well. We have a great panel to discuss this with us today. We are going to be talking later on to Steve Douglas, who's head of 5G strategy at Spirent Communications. We've also got Ciara Mitchelll, who's head of cyber at ScotlandIS, is going to be talking to us not just about 5G, also some experiences north of the border. I am pleased to welcome, first of all, to talk to us on this Saj Huq, who is director at LORCA and can also tell us a bit about what LORCA is. So Saj is going to join us on the screen now. And we'll look into this subject. And it's not an Audi. It's not a Skoda. There we go. So Saj, how are you doing it? You alright? Oh, I think.

Hello. Yes, very well, thank you. Hi,Geoff.

We are receiving you loud and clear. That's good. Saj, I just want to talk actually was I was looking at you looking through your CV as I normally do. And there was one thing that could catch my eye in the first entry on your CV is student brand manager for Red Bull. Tell us about that. You can't put it on your CV and not have it mentioned.

Yeah, I probably I have admit I'm pretty convinced I probably one of the best student jobs at university where I've managed to blag a job with Red Bull. So I went to University of Sheffield. And I've always been quite interested in aviation, which is a slightly tangential this particular question. But the point is, I once blagged my way into the Red Bull air race, which used to run in London and I met a gentleman there who did this seemingly very cool job for Red Bull, which was a marketing manager role into universities promoting Red Bull's brand to students to try to position it as quite a cool brand. But effectively, what I deduced from a short conversation with this gentleman was that he effectively got paid to go to house parties and disseminate cans of Red Bull to students and also got the use of a Red Bull car. So anyway, one thing led to another and I end up after a bit of a process getting this role, which was quite good fun.

Ha ha. Brilliant. I weirdly enough, years and years ago I took part in the Red Bull Flugtag.

Cool, yeah. In Hyde Park.

In Hyde Park, which yeah, that was a treat. They made a sign. We all lining up, we all dressed up. We made those all sorts of places astonishing. Somebody made a full well, not a full size, but a scale replica of the Millennium Falcon and were going to fly that off the end, it was astonishing. And we also we all lined up with our selective craft and stuff. And then they made a sign, a disclaimer that was basically like, we're not liable for any injuries. And some of the people in front of us had converted some mountain bike into like a sort of vampire bats thing. And obviously on the bike, you've got chain ring where the chain goes, the sort of, you know, the spikes and stuff. And I said, did you not think about taking that off? And they looked and went, oh. They were going to jump off a sort of six metre high on this bike into the thing. The first craft that went off was it had umbrellas on it like a Mary Poppins thing, but the guy had held the umbrella in with scaffold poles. So that was 30 vertical scaffold. And from then on, everybody jumped in, was jumping onto the scaffold polls. It's a miracle no one died. It really is a miracle.

Impossible is nothing.

I'm presuming that didn't lead you to your career in the RAF because it's not the same sort of skills is it?

Not really. It was a kind of brief interlude just to pay the bills at uni. But, yeah, as I mentioned, from a personal perspective, I was always interested in aviation technology generally, and I studied aeronautical engineering at university. And then I was fortunate enough to be selected by the Air Force, trained as a pilot in the RAF, which was probably my early exposure to high technology and kind of ceded my ongoing passion for it and which led me to where I am now.

Fantastic. And yeah, tell me where you are now, LORCA To my shame, I wrote it down and I don't know what that stands for, but tell us what LORCA stands for and also what it does.

Absolutely. So LORCA stands for the London Office for Rapid Cyber Security Advancement. It's a collaboration between the UK government and the organisation I work for, which is Plexal. So we're an innovation hub and we also deliver a partnership with a number of delivery partners, notably Deloitte and Queen's University, Belfast. So effectively, what  LORCA is a cyber security ecosystem which we've developed over the last three years, working with government, to help scale and grow cyber security start-ups and particularly with a focus on bringing to market the new and emerging technologies that are needed most by industry, both now and next. So effectively,  LORCA acts as a bit of a bridge between the supply and demand sides of the cyber security marketplace to help catalyse innovation.

And there's some mad stats about the amount of venture capital that's gone to  LORCA start-ups that I read. There's actually quite a lot of them. The investment money that's gone into start-ups has gone into LORCA.

Yeah, absolutely. So when we launched LORCA in June 2018, our original target was to help attract up to 40 million pounds worth of venture capital investment into the sector as a whole, but specifically through the start-ups that we support. And the ambition was to help in detail 72 companies to grow over two and a half to three years. I'm pleased to say, kind of reflective of the strength of the UK cyber security market more broadly that those companies have actually raised at last count, I think the latest funding round was announced last week, over 200 million pounds. So obviously quite significant delt on the original intent. But as I say, that's kind of reflective of the wider UK cyber security market, which certainly last two years has delivered year on year growth and record years for investment.

It's interesting. Does something like the dark trace, the dark trace IPO, does that help, do people sort of think, oh, OK, there's an eventual end game to this? So when something like that happens, UK cyber security company floated successful. What impact does that have?

Yeah, absolutely. I think I mean, it's a great story for the UK cyber security scene to see a British origin company scale up and throughout their whole lifecycle from journey from early stage to a private company to a public company within the UK but with making a global impact, that's not something that we've seen happen too much for various reasons. So, one, obviously, the scale of the UK cyber security ecosystem is still growing and it's still lagging behind. For example, ancillary ecosystems such as fintech, which obviously the UK is a world leader. Number two is historically. So the access to funding that you've needed and to grow your business in the UK, it's been quite tricky, especially when you start to look at towards the middle period between becoming a successful small, high growth company to journey on to a public company. And historically, what we've seen a lot, quite frequently is businesses start to take a lot of US investment, but then encouraged to move to the US so that their headquarters in the US. That trend has started to soften a little bit. So the likes of Dark Trace have received a lot of overseas funding. However, you know, they've kept their HQ in the UK and I think that's really important from an optical perspective. But it's also really important from an ambition perspective. The last point on why that's important is when you look at areas such as Silicon Valley, the reason why there's that repeat cycle of successful entrepreneurial is there because you start to create this cycle of entrepreneurs who have started companies, scaled companies, exited companies and then go back in to start companies again. That's something which is still developing in the UK and so to start to see more and more people such as Dark Trace, such as other great companies start to do this, creates a talent cycle which is more sustainable in the long term.

Just be honest with me for a sec. I mean, the companies that you talk to, how many of them want to get that Darktrace stage where they are a company in they're own right. Being honest, how many of them do you think will be happy with being bought out before they ever get to that stage?

I mean, I wouldn't like to put a proportion, especially as it's probably fully grounded in opinion, not fact. So what I would say is clearly there are a lot of companies that are very happy to be acquired on that trajectory and it may be less willing to take it and they'll grow the company all the way through to the public market more to to a large scale exit. That's OK. I mean, that's not unambitious. And everyone's got their own kind of personal motivations for why they why they seek to build and grow companies. I would say that it was rare, I think from a British perspective, sometimes we're too humble and we don't almost have that kind of global mind. Historically we didn't necessarily have a global mindset at scale when scaling companies that we want to take over the world, which is where you want to hear about certain businesses from certain areas of the world which go to market with that explicit intent. And that is definitely changing. And that's what I mean by ambition is changing.

Interesting stuff. Fascinating stuff. And I think the Start-Up scene, that kind of thing is fascinating. I spoke to a guy who's getting, he was getting Israeli cyber security companies into the UK to try and pair them up with UK investors. And it's hilarious, he said his main task was to try and stop the Israelis being so over the top that they were like, you must buy this, He's like, no, you're dealing with Brits now. You've got to just dial that back. Culture actually matters as much as technology. Interesting discussion anyway, not what we're talking about today. Mainly, though, 5G. We're talking about the cyber security ramifications of 5G. I mean, where roughly speaking, where are we at with 5G? It's launched. But what's the sort of have we got ideas of how what the take up is and so on?

Yeah, I mean, it's still as a technology still and it's infancy. So there are production deposits of 5G. So a number of the mobile network operators are now offering it to their customers from a consumer perspective. From an industrial perspective, I think the deployment of 5G still relatively early. So we're still looking at a test and evaluation and deployment of the technology at scale. And one of the barriers to that is working out the economics behind 5G and the business case for investment. So unlike previous shifts, especially when you think about, so thinking now, just back to the consumer perspective. For somebody like me or you or any other consumer who uses a mobile device, the difference between 4G and 5G is probably negligible. I mean, clearly, things will be faster but if you're just doing the same things you've always done on your iPhone, on a 5G network versus the 4G is probably not that much of a game changer for those kind of applications. Where 5G becomes a game changer is for the other applications in more industrial applications and the other emerging technologies could enable because of the low latency and its ability to handle high volumes of data at scale.

So that's interesting cause, I mean, if you look back at things like 3G and 4G, consumer demand is really driven it. And I remember when I first got 4G, I was going quite early and it was like having your own private network. It was astonishing. That investment sort of either we paid or paid for the network. What you're describing is a situation where that won't necessarily pay for the network. It's got to be funded by the companies that are creating the things that 5G then going to offer us down the line. The flow is different.

It is, and I guess as well for the providers of networks and the mobile network operators and obviously their supply chain as well, their own business models have changed and been disrupted quite a lot over the last 10, 15, 20 years. So previously they used to make money from providing good quality networks which have got high availability people use, and that can be relied upon. But obviously with the exponential growth of Internet usage and then the way that those services, especially when you with the shift to 4G and mobile data demands on networks exponentially increasing. And then how what that data is actually enabling, so, Netflix, for example, they don't see much, if any, of that revenue, which is big. So then the infrastructure which they provide is being utilised to enable other people to make quite a lot of money. And at the same time, the margins in from their perspective are continually being challenged as well. So the incentives and the commercial well, the economics behind how you maintain your infrastructure, why you need to drive innovation, why you need to embed security there sometimes not always apparent and therefore and also with the shift 5G, the economic case for investing in the infrastructure and also the scale shift and technology shift that needs to happen is sometimes a little bit challenging.

It's really interesting. And actually, I think about that the mobile companies, I think, have survived for quite a while on, you know, partly offering new phones, but also when it when 4G comes along with like, great, we can have a period where we we charge people more. I mean, EE, obviously had the 4G contract first off, so they can come to charge people more. There's a sort of growth kind of thing there for the mobile phone companies. It's interesting what you're talking about with 5G. I'm going to paste us a link actually to a YouGov poll about 5G, which I'll paste in there, which has some interesting stats in it. Jonte says, I changed my home Wi-Fi network to a .5G mast. The neighbours don't connect to it anymore. It's slightly worrying they were connecting to it before. I mean, does that way of 5G evolving help embed security in it? Because obviously, I suspect 5G and security are particularly, with things like Huawei, are more prevalent in people's minds and they would have been with 4G. So does this sort of slightly less meteoric growth of 5G allow a period when security can be thought of and built in?

I hope so. I mean, this is the opportunity where I mean, it needs to be and you can't I mean, this is similar to cyber security as a whole. The criticality of technology to everyday life, for business and so forth is such that you can't just bolt security on at the end anymore. Specifically critical infrastructure such as telecoms and telecommunication infrastructure, especially with the types of applications that 5G could enable. Think autonomous cars, think, you know, connected spaces and smart cities and, you know, lots and lots of different things connected to the Internet, transmitting information and sharing data. Security has to be built into the architecture of the fabric of 5G. And actually the shift in kind of the network architecture of telecommunications network 3 or 5G so move into more of a virtualised environment, you know, moving away from proprietary hardware, software, moving to more of a kind of open interface model and an open architecture that provides a lot of opportunity to bring in best practise cyber security, best practise security technologies, tools and approaches at inception and outsource.

Interesting stuff. I'm going to bring in because on all of this, we've got a couple of great panellists who are going to be joining us now as well to talk about this. The teiss elves but a infosecurity magazine article, which I want to discuss with our panellists, as well. We have Ciara Mitchell, who is head of Cyber ScotlandIS. We've also got Steve Douglas, who's head of 5G strategy at Spirent Communications. Thanks both for joining us, Steve. Can I come to you first, Steve, about this? The article that the teiss elves put up there in InfoSec Magazine is talking about 5G and cyber security. And there's a slightly sort of schizophrenic approach to on the one hand, talking about 5G can be better for security because we can fit all those security features into it. On the other hand, seems to massively increase the attack surface because more boxes to go after as a hacker, what do you think? Where do you think the balance that sits with this?

Yeah, I mean, it's to be honest, I think it's a little bit of both worlds at the moment. I think obviously the the broader attack surface from having, you know, more softwarised network, which is now heavily dependent on sort of cloud infrastructure, capability of the network being disaggregated and, you know, hosted out at edge locations, which may be seen as weak or certainly does create more concern. But what I would say is, I mean, you know, probably, you know, one of the benefits of 5G's had is that from the early design phase, there have been new security mechanisms built into the architecture from day one to try to resolve a lot of those issues. Now, of course, they're not going to solve everything. We know the threat landscape constantly changes. We know, as Saj rightly said, 5G's big ambition really isn't the consumer market. It is going into the industries and the industrial verticals. And they have unique security challenges that will only really be understood and discovered gradually as 5G is tested and experimented in those environments. So it's got to have a flexible nature, 5G, to be able to adopt that security. So, I mean, what's quite interesting, as I said, you know, in the architecture itself, you know, from the technology point of view, there's been a lot of new capabilities brought in to help secure the communication from the devices, to the network within the network itself, new types of encryption mechanisms. And there's also now a huge area of opportunity around new capabilities within the architecture itself to actually create secure what they call network slices within 5G, dedicated sets of resources within the 5G system for these enterprises to create their own types of security and privacy. But of course, this all still has to be proved out, and that's sort of a lot of the work that experimentation work that's going on at the moment.

Just staying with you, Steve, for a second on that. So you know we're still reliant on mobile phone mast as I understand it to make 5G work. Who is building those or retrofitting them and why are they doing it? Who's making the money on all of that at the moment?

At the end of the day the investment certainly coming in from the, obviously the mobile network operators, you know, putting the investment in on the mast. But they obviously partner with a number of players who build that infrastructure out. So you have companies like Crown Castle, you have American Tower who will actually physically build the infrastructure in the sites. So the market sort of segmented that way where the interesting probably new development is also in the small cell market as well. So one of the, I think, challenges that 5G and opportunities at the same time is that it needs to have a huge densification of the networks. We need, in essence, more cell sites and small cells are seen as one of the answers for this so that, you know, obviously smaller regions, potentially indoor usage as well from the factory environment. And there's quite a number of new players coming into the space there. So it's pretty exciting from an innovation perspective and new companies and new start ups, of course, suddenly you've now got a broader ecosystem of players who are developing components that are now all part of this supply chain. And that suddenly becomes another sort of area of security concern and something that sort of the government's picked up on as well in terms of just the breadth of that supplier landscape.

Interesting stuff. Ciara, can I to come to you next? You were 20 years at BT. I mean, it's a really long time to be working for that. Things changed a lot during that period, didn't they? I mean, the stuff Steve's talking about in terms of devolving of the network, devolving of power, devolving of kit, that's just a whole new world.

Yeah, I know. Absolutely. I agree with everything Steven said. And I think it's important to point out as well that isn't a case of 4G secure, 5G insecure. We have 4G insecurities that we still live with today and we accept SMS messaging deception as weaknesses in that whole area is one, for example. As Steven said there's a number of inbuilt security metrics and controllers in 5G so that we are learning from the past we're building them in. But like any new emerging technology, it brings its own vulnerabilities and challenges and it's just such a different landscape now because it's so software lead and software defined and we're all used to living certain incumbents like operating the mobile networks. I mean, that's now going to be a thing of the past because we're gonna have so many vendors and so many organisations who are certainly players in the space, part of the ecosystem, none of them working in isolation. And that's where the challenge comes, it's that continuous integration, continuous testing, making sure there isn't any kind of cascading effects of vulnerabilities introduced because of most of the issues that collectively and cause an invulnerability. So a lot of it is just bringing the cyber security best practice to this world. Things like defence and depth has never been more important. You know, you absolutely have to make sure we have layered defence approach even to the point of zero trust, we don't trust any other part of the supply chain until they can prove we can trust them. So a lot of it is just bring in the controls that we've all worked on for many years in cyber security and making sure that we apply them to 5G. And it is good to see that there has been a much more of an approach for security by design and security first, but because it is such a complex ecosystem and we all know it's just takes the weakest link. It's going to be a challenge, but there are ways to mitigate it. We're not talking about inherent flaws and we're not saying it might not be, some of them arises, as you say, if we put things out there and we actually see real applications of it. But we know, trying to mitigate that from the start as best we can. A lot of what we're talking about is just finding the best practise and making sure we have the end to end joined up security and solution, defence and depth and many other mitigations that we're familiar with.

Stay with you, Ciara, for the moment. Steve outlined this interesting issue in that we're just going to be much more density and there's going to be effectively more private players involved At the moment when I switch my 4G on my phone. That's a number of masts around here provided by a number of big, very big companies, one of whom is my mobile provider. Well, I say that actually that doesn't work in the house that I'm in but let's not get into that issue. We talk about a future where if my phone's on 5G, I connect to a network. Actually, that network might be a business down the road that's installed 5G is interfacing with the wider 5G network. I just that makes that gives me a bit of a shiver of security wise. Do you see what I mean? It seems to be more potential there for problems.

Yeah, it is. And we really have to wait and see how this all kind of matures, I guess is the best word to use. We are seeing that increase focus on fibre networks. And I think a lot of that is coming from businesses not wanting to be put in that position, as you say, actually having control themselves. So they have their own network that they can install, they can use and in collaboration, obviously, with the mobile operators, with the vendors. It is reserved for them and for their use only. And I think they see that becoming more and more common because of some of this nervousness and just because they want that control, they want the reliability and they want to make sure that they know whose also using that network as well. So, yeah, it is a whole different world. It will be interesting to see how it settles down and what we all get used to as well. And I think some of the slow uptake in some businesses in particular partly is because technology still emerging. But it is this nervousness because it does feel like it is a bit of a change. It's interesting because from a consumer as Saj was saying it's a little bit faster and some people will rush to get 5G phones because we always have that small percentage of people who want to be there first. For many others we'll be like, well, we'll wait and see. We need 5G mainly the benefit is mainly it's business to industry, but there will be that nervousness because obviously, rightly so, there'll be risk averse.

Steve, can I come back to you? If there's a business that puts in its own 5G network, is it possible for them to simultaneously sort of use that for their own employees or business purposes and so on, but also make part of that available as a public 5G networks and participate in that? Is it possible to run those dual systems and, obviously we'll get to the security issues around that, but is that doable? Is that a model?

Theoretically, yes. I mean, it requires certain technology on the device itself, so your SIM card on your device is usually associated or tied or registered to a specific network. So you can set that up to have a certainly your devices connected, you know, dedicated in a private environment and creating zones within that, so a zone for, you know, for the business operations, for visitors coming into it like you would do in a wired network you see today. So those capabilities are there. And I think there's another sort of dynamic happening at the moment. It's something called neutral hosting, which is sort of going on at the moment, which is, again, sort of driven by the cost dynamic of trying to roll out 5G and also a little bit of the sort of the planning side of it. Every one of our tower operators has to develop their own tower site, not only as I could be seen as a bit of an eyesore, there's too many of them, but it's just a cost factor, sort of gets it. So there's this idea potentially of also neutral hosts where somebody comes and builds infrastructure and it's shared the capability shared. Whether it's just a tower or actually whether it's the the actual technology on the tower itself. And they're not segmented between those who want to physically use it. And that's becoming more and more popular. And we're starting to see that sort of being explored by potentially non-traditional operators coming into the space. So you could imagine the real networks or your local town or council putting up sort of capabilities in the towns and then actually, in essence, creating a multitenant environment where you, the consumer, could get on to it, but also the mobile network operators could lease that capability themselves and share that. So there's a lot of innovation around that. Of course, then that opens up again, a genuine concern. You've got a multiple party sharing similar infrastructure. What happens if that infrastructure gets compromised? You know, where does the blame lie? Who deals with that? So there's a lot of security challenges to be worked out there.

Yeah, interesting. It's almost like the cloud dilemma of who takes responsibility for security in the cloud and the answer generally is not Amazon or Microsoft. Saj, can I come to you? I'm just still not quite clear on who's paying for this or who's going to be paying for it. So traditionally, it's the mobile phone operators generally who takes these points. But generally the mobile phone operators are going to be fitting this stuff. They're not getting a huge windfall of massive take up from consumers and loads of money coming in from selling 5G contracts. So who is funding it? Where were they getting or hoping to get the money from for this?

Yeah, I think I mean, at the moment, this is why, I see this quite a lot of government intervention in space as well to to kind of bridge that position between economically sustainable market dynamics and currently where we are with regards to 5G rollouts, which Stephen just referred to. I mean, there is an opportunity for MNOs, mobile network operators, actually develop new services and new business models as a result of 5G. And we've seen that quite a lot where there's almost a shift towards from just being seeing the core businesses being responsible for the network infrastructure and the provision of that towards being more of a managed service provider, including of security as well, and what that could bring. So this is why the 5G landscape is so complex, because of the opportunity it brings, not just the complexities that needs to be navigated to see those opportunities. It's still unclear answer to an unclear question. Unclear scenario, rather.

I think you're right. And it's interesting. You can see mobile network operators starting to see themselves as more than just providers of a data connection or telecoms connection and vital services. That's a really interesting sort of interesting model and not one that I think they'll be shy of exploiting.

Maybe I could just come in on that bit? I mean, I just want to put in an interesting sort of comment out there, because I think there's been a lot of sort of feedback that, you know, the revenue isn't really going to be there from the consumer side and it's going to be dependent on certainly the industrial and the enterprise sectors are of high interest to the mobile network operators. But actually, what we're starting to see in some of the Asian markets, which were probably the first to launch 5G, they're now starting to see revenue increases from their consumer markets as well They have started to bring innovative new services to their consumers. And a lot of these are evolving around a combination of using 5G and edge technologies for things like low latency gaming applications that have become and started to become quite popular and driving up higher sort of revenue around up there. They're also tying it to sort of media opportunities as well. So they are driving sort of incremental revenue. Which is starting to be seen as quite profitable.

And it's interesting. Yes, I might not pay more for my mobile phone contract every month, but I might get a smart car or a smart fridge or something that relies on the 5G network. So the money I paid for my car or whatever might make its way back. OK, look, we were 34 minutes in and I still haven't mentioned Huawei, so let's look at the elephant in the room. Saj, can I come to you on this first of all? Obviously Huawei being removed from critical networks. I mean, you guys are all in sort of 5G security sub-group. How big an impact is this going to have? I mean, I don't think it is a decision that was welcomed by various parties, like what impact it has had on stuff generally besides security?

I mean, it's a huge, huge decision. I think it's a bit of a watershed moment generally for the role of sovereignty in critical technologies which are core to the future prosperity and national security of our country. So I think this level of intervention is probably not anticipated, hopefully because policy decisions that are taken now with regards to emerging technologies, hopefully will now predict this and avoid this potential scenario in the future with other tech. But it's an important lesson learned when reflecting on policy decisions that were taken 20 odd years ago, which have led us to the point where we've got such a consolidated market, and as a result of that, you only really have three major vendors, equipment vendors in this space. I think it also shows that, I guess the international pressure which was applied, not directly to our government, but this became a global issue and other countries such as the US and so forth, have taken taking their own line around high risk vendors. And I think that the nature of how we trade our economy, globalisation and so forth, means that you can never really make your own isolated decision on such strategic areas. And they need to be reflective and compatible with what your partners are doing as well. But there is a huge opportunity with regards to stimulating an ecosystem which is vibrant, diverse and more diverse supply chain going forward. Stephen and Ciara both mentioned that the opportunity of looking at how we can stimulate that marketplace with new vendors in the UK, actually this is a really good opportunity to bring in new people into the space who never particularly worked in telecommunications personally but you know might have the technology that could enable some element of the supply chain going forward. So I think there are definitely lessons to be learnt, but I think there's some exciting roads ahead, hopefully.

Ciara, can I come to you on this as well? Because one of the things about the Huawei decision was there was a sense, I think at one stage that we could get along with our Huawei as long as it wasn't in the central part of the network, as long as it was sort of the edge parts of the network. I never really understood how that argument worked, because if you're moving sensitive data across a network, it doesn't matter whether the edges or the centre of it. That seem to be the logic, there was a sense for a while that as long as it was deeply integrated, it be OK? That seems to have just gone out the window.

You're right. That was exactly the approach that there would only be a certain percentage of the network, could be Huawei. And we're going to be in certain areas, but as you say, you know, if there's a back door, there's back door. I mean, obviously, if there is like segmentation and there's ways to mitigate what exposure there is to that, but it was still a high risk approach. If I'm totally honest, I'm still undecided about whether our decision with Huawei was the right way to go or not. If it was felt it was that high risk threat then absolutely had to be made. But where I worry is how far is this going to go if we start ruling out equipment because the origins in certain countries, it feels like it's going against the whole globalisation. And then how far do you take it? What happens if this sort of equipment has cards or has elements from certain countries, you know, how deep how do we go? You can you can build in, I guess, back doors in SIM cards and critial elements as well. It's not just about the main software and vendor of that particular kit. So and also hopefully not to political, but, you know, there's certain countries we are very close to in the UK, like the US, who are the instigators of all this kind of covert and backdoor surveillance and are still seeing articles come out saying about partnerships with Amazon and their security and remote monitoring and home surveillance that they have with local government. So, you know, are we being a bit inconsistent? The fact that we ruled out Huawei but there's other countries who aren't behaving as well. So it's a difficult one to go down because when you open that door of blocking certain devices from certain countries, how far will we take it? And we can't just say everything has to be British. No country is able to do that anymore because we're so reliant on vendors from across the world.

It's interesting as well. I mean, it's worth pointing out, of course, we have the GCHQ cyber cell that was looking at Huawei kit with Huawei engineers. The last I heard from I think it was Ian Levy at GCHQ who said, you know, basically we're not worried about the Chinese getting access to it. Anybody could get access to it because the coding in the build is quite soddy, that seem to be his suggestion. Obviously, Huawei not here to defend themselves. I'm sure they'd say their kit is very well built. But it didn't seem to be that GCHQ had discovered, you know, some massive issue. Perhaps they were briefing in private that they had, but that certainly wasn't what they were saying publicly. But it's interesting. Steve, can I come to you? Obviously we look at the sort of concerns and the threats around 5G, but there's also the possibility that you can use the 5G network, you can embed A.I. into it much more effectively to spot threats and to manipulate threats. So there's a potential win as well, if we roll this stuff out, right?

Yeah, absolutely, and I think this is one of the outputs that have came sort of from that, you know, the whole Huawei situation was trying to understand, you know, how do you deal with potential threats on the network and actually use the network, in essence, to potentially defend itself and deal with the fact that you may have to remove a vendor shortly given notice, because, I mean, that was one of the headaches that the Huawei decision sort of certainly caused was suddenly you're talking about decisions which have been made to either deploy Huawei or even the deployments that had started, are now going to have to be rolled out and that's quite a complex process which highlighted the concern of, say, a vendor did become compromised. What are your contingency plans around that and how you deal with it? So one of the key areas that I think the industry's been looking at is how do you actually architect the 5G system to allow that and then how do you allow it yourself to use mechanisms to potentially in the future self defend itself? And a couple of key areas that are sort of coming into that space, number one is around sort of the early sort of network slicing technologies, which is built into 5G. So the idea of a slice in 5G is that you can set up a dedicated set of functions within the network, which are purely allocated to a specific say use case. Dynamic can be dynamically allocated. You could imagine that that slice of the network could then suddenly be used potentially as a quarantine slice. So if you saw errornous traffic coming into the networks, moving into an area of the network which quarantines it, that does triage on it, it actually tries to work out is it an issue or not before you actually allowed it into the broader system and the only resources that are potentially going to be compromised around that will be the resources that you've decided to allocate for that. So that's a pretty exciting way to do it. The other one is around AI technologies, which we're starting to see come into it as well. I mean, one of the big challenges is the more security we put in to the network in terms of encryption, the more complex it is to identify. For example, is this traffic coming into my network erroneous? Is it an attack? Because I have no visibility of it. So suddenly you're starting to depend on AI techniques to start to explore behavioural patterns of what's coming onto your network. Is this the right behaviour? Is there something strange about it? I'm trying to equate again, sort of, what should I do with that? And I think that's going to be sort of needed as we go as we move forward, because, as I said, obviously we are encrypting traffic across the networks, so our visibility diminishes. So we need mechanisms to try to work out what's good and what's bad. Of course, the big challenges, the more industrial devices and systems we connect, we're not used to the traffic patterns they produce. You know, we pretty much know what you and I do on our smartphone today. So I can pretty much guess looking at the behaviour, that's what it is. But, you know, how on earth might want to know what's a hundred different types of industrial devices and the types of communications they do? Is that good or bad? And these are all sort of the areas. And it's pretty interesting sets and research going on around this at the moment. And I think A.I. and network slicing are going to be two of these sort of sort of the key mechanisms we're going to probably see in the next sort of five years coming into the 5G system.

I just wanted to jump in on what Steve has said there, and that's was alluded to earlier. I think there's some exciting developments here with regards to security and how that's applied to 5G. One thing that we haven't mentioned is there are other areas of industry that are doing some of this stuff already, but in different environments. And so the opportunity to actually learn from approaches that are being taken by enterprise and other industries, best practise cyber security are obviously quite advanced techniques and tooling and solution develop and so forth is a good opportunity. And it's kind of, I guess, a bit parallel to a wider kind of trend that we're seeing between IT and OT convergence where actually the skills, capability, knowledge and understanding might sit within an IT team function at the enterprise level, but actually that could be deployed and the management of it could be deployed into the OT environment as well. So it is quite interesting. I think this one with regards to the like a lot of the challenges in 5G around cyber security, you know, stuff like visibility, as Steve said, it's massive. And it's I mean, it's a massive issue for enterprises generally in cyber security, but it's huge in terms of the complexity with regards to 5G networks, I think as well securing the edge of a network is critical and then the automation orchestration between the edge and the core and across the whole network as well in terms of managing mentioned that security is key with regard to securing the edge as well, like the fact that a lot of we always use the term smart device, but actually a lot of these devices that will be at the BBM points aren't smart at all, their low powered, low bandwidth and they're susceptible to being compromised and kind of mitigating them as a vendor is paramount.

Interesting stuff, Saj. There's loads to work on. It's a slightly terrifying future in terms of the scope. But also good to hear that there's work being done on the security side of it. Nobody's guessed the car. And so as your punishment, I've included a link there to I mentioned that I was in the Red Bull Flugtag and there's a link there to video. So you can see me looking much, much younger, much stupider if you want to do that.

I want to thank our panelists. It's been really interesting. I've learnt loads, so apologies to our viewers if I took over. I find stuff fascinating. I've learnt loads from you guys. Thank you Saj Huq director at LORCA, Ciara Mitchell, head of Cyber ScotlandIS, and Steve Douglas. Stephen Douglas, head of 5G Strategy at Spirent Communications. Thanks to all of you. We are back next week. Normally it's Jenny Radcliffe, my co-host, on a Tuesday, but next week it's me, a double dose and it's going to be a cracker.

We have Jake Davis, who is one of the founding members of a hacking group called Lul SEC who spin off of Anonymous, did two years in a youth offender institution. Now cyber security consultant, he's going be talking to us about passwords and the future of authentication, which is a really interesting topic. And Jake is a fascinating guy. So please do tune in next Tuesday at 4:00. I'll be online then. Thank you so much for joining us. Tell your friends, tell your family and we'll see you for another teissTalk again soon. Thanks to all the panelists, take care.

Featuring:

Geoff White, Host, teissTalk
Investigative journalist Geoff White has covered technology for BBC News, Channel 4 News, Audible, Forbes online and many others.

An experienced public speaker, he has given keynote talks at some of the UK’s largest tech events, in addition to hosting conferences and chairing panels at venues ranging from London’s Chatham House think-tank to the Latitude music festival.

Saj Huq, Director, LORCA

Saj leads cyber innovation at Plexal and is the director for LORCA: the London Office for Rapid Cybersecurity Advancement.

His work at LORCA involves facilitating collaboration between startups, scaleups, government, investors, academia and a cross-section of industry, with the aim of growing the UK’s cybersecurity sector and making the internet safer for everyone. Saj is also a member of the UK5G Security-Sub Group (SSG) to the UK5G Testbed and Trials Working Group.

Saj started his career in the Royal Air Force, where he was a commissioned officer and pilot, and spent a number of years as a management consultant at Deloitte and PwC. He then moved into industry, leading strategic change at a PE-backed property finance firm where he helped them operationally scale towards achieving a UK banking license, prepare for the incoming GDPR and improve their cyber and operational resilience.

Ciara Mitchell, Head of Cyber, ScotlandIS

Ciara is the cluster manager for Scotland’s cyber cluster. Her role involves supporting the development, growth and promotion of the cyber security sector in Scotland, bringing the cyber community together across academia, public sector and industry in order to enable collaboration and innovation in this sector in addition to facilitating gaps or challenges to be addressed. Ciara sitson the Skills Development Scotland Cyber skills working group and the UK5G Security working group. 

Ciara has extensive experience in the telecommunications and cyber security industry, having worked for BT for 20 years before freelancing for a cyber security start-up while completing a MBA at Heriot Watt  Business School. She worked in a number of different roles while at BT ending up as Head of Global Product Management within BT’s Cyber Security Division. She joined ScotlandIS in August 2019 to take her current role of cyber cluster manager.

Stephen Douglas, Head of 5G strategy, Spirent Communications

I am a hands-on Technology Strategist and CTO who believes in innovative and disruptive technologies which challenge the status quo, are market leading and which make a real difference.

With over 24 years’ experience in telecommunications I have been at the cutting edge of next generation technologies, involved with multiple Service Provider start-ups who have had successful M&A transactions and worked within large tier 1 vendors in driving innovation and transformation.

I passionately believe in solution selling and working closely with customers and partners to build successful technology vision, strategy and outcomes and have had the privilege to work with, build and nurture multiple Solutions (Sales) Engineering teams across the world.

I am an ardent believer in connected technology and have continuously strove to challenge, blur and break down the silos which prevent innovation and business success.

© 2021, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd • Registered number: 05832927 • VAT registration number: 830519543

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]