Telecommunications (Security) Bill (Fourth sitting) Debate
Full Debate: Read Full DebateChristian Matheson
Main Page: Christian Matheson (Independent - City of Chester)Department Debates - View all Christian Matheson's debates with the Department for Digital, Culture, Media & Sport
(3 years, 10 months ago)
Public Bill CommitteesQ
Dr Sellars: You are quite right that 5G opens up a whole load of new benefits, predominantly high-speed access/lower latency. I think some of the security risks are around who is providing the infrastructure to support 5G. The concern that we have at the moment is that we need to have security of supply—both resilience of the supply chain for that infrastructure, and the cyber-security and encryption element of that infrastructure.
I think it is fair to say that 5G is likely to support a much broader selection of services. It is likely to have an impact on commercial, governmental and security transmission, just because of the widespread access and its very high-speed capability. It is also likely to support a very large number of internet of things devices—the sort of devices that UtterBerry develops. Some of those devices are another potential attack vector, if you like; they are another potential vulnerability. It is broadening the access into the network, which is potentially opening up new sorts of vulnerabilities that we need to take into consideration.
Dr Johnson: Let me start by saying that some aspects of security in 5G networks are actually much more secure than in previous generations. Looking over the lifetime of cellular, you will know that you could just listen into first generation analogue networks with a very high frequency radio. GSM—the global system for mobile communications—was secure, partly at least. The network and the phones would authenticate to each other, but only asymmetrically, so the phone could be captured by a surreptitious network. That sort of attack is still used.
3G is much more secure, with symmetric authentication. It is harder for devices to be captured by the wrong network, but it is still possible. It is also possible for the IMSI—that is to say, the international mobile subscriber identity—of an individual or group to be found from that network. The same is true of 4G. In 5G, that is much more difficult. In terms of the security of the user of the network, 5G has tightened up a lot of the loopholes in previous generations in a way that is very hard to unpick. That creates tactical problems for some law enforcement agencies, which rely on some of the insecurities of earlier generations to do their job.
From the network side of things, there are some issues. There is a new network model in terms of the way nodes are connected in the core network. No longer are there physical interfaces as in previous generations of network, where there would be an S1 connection from the base station to the core. There are still connections, but they are much more in a publish-subscribe-type model. I think those, conceivably at least, bring a little more opportunity for attackers to probe nodes within the core network to find weaknesses and vulnerabilities. That is my take on 5G.
Heba Bevan: We have three elements that the telecoms community could work on: the communication aspect, which is provided by companies such as BT; the hardware aspect, which is probably provided by companies such as Utterberry; and the software element within the system. So there are three types of vulnerability that could be introduced in the path of these three elements. The only problem with these paths is this: who is responsible if there is an attack? Usually, the communication aspect is the most important part to get protected.
Currently with 5G, there is a huge opportunity for opening up a huge economic impact from the sector in terms of healthcare, education and tech industries. These industries will need to move on and having 5G is definitely an important element, but how can we make sure it is secure in providing an effective communications network that provides an end-to-end solution and security? That is where I think we need to concentrate on the telecommunications and how can we make sure that what we are getting from that communication is totally secure, and that the encryption within it passes certain thresholds.
We can follow a certain standard within the hardware and software, but if the network is weak and has not provided us with good reliability, that is where things could be broken.
Q
Is there a shelf-life of the older versions? I am surprised that we are still talking about 2G—that it has not been removed. Is there a shelf-life for those elements and will they be removed from what I term “the network”, which is of course the whole global telecommunications infrastructure of the UK? Nick, do you want to start on this question?
Dr Johnson: Yes. Let me start on that shelf-life question. GSM is a little bit like Radio Four longwave, right? I do not think that it is ever really going to die; there are just too many people who depend on it for one reason or another, whether that is for emergency calls, or just for coverage in remote locations or wherever. I think GSM will stay there forever, despite its security issues. They are well known and understood, and managed in due course.
The shelf-life of network components is an interesting aspect. Our experience of deploying into cellular networks is that there is always a security audit involved. When we take a piece of equipment into a new operator, there is always a hurdle to be overcome. They have their own audit procedures and those include a sort of paper audit, where they look at the particular software components that the software is built from, some of which we build ourselves, some of which is open source and some of which is commercial off-the-shelf software libraries and so on. They want to make sure that those are all up to date and properly patched, with all the latest security patches and so on. I think that will just continue on. To some extent, that is just the baseline hurdle.
I am not sure this is exactly what you are asking, but what has changed in my mind as we go forward is this idea that there can be software in the network that is not so much interested in security—as in, somebody hacking into it—but is more of a Trojan horse type of software, completely undetectable until some signal or some date comes by and it springs to life and does bad things. The example I have in mind is the SolarWinds example from December last year, where software had been inserted in the supply chain and had been sitting there quite happily for a while. That, to my mind, is very difficult to detect. Until it goes off, you do not know there is a bomb inside it, and that is an issue.
Coming back to the shelf-life question, keeping the software up to date is a major issue. It sounds easy, but practically speaking, I know it is an operational dialogue all the time within vendor businesses: they are striving for revenue from new customers, for new features to be added, and that is acting against updating the software libraries and so on to bring them up to date. There is a continual dialogue in every vendor company to ask, “Do we need these features to get more revenue, or do we need to update these libraries because we need to maintain secure software?” I guess to some extent, the whole reason for this Bill is to try and force that to the front of the conversation; to say, “Look, you can’t go on. That dialogue has to stop now. The software needs to be secure.” That has to be the baseline; it has to be a basic hygiene factor in selling software that it must be secure to a certain level, and the features need to come as value added. If you have some questions coming up on the code of practice, designated vendors and so on, we might talk about that, but those are my comments on shelf-life.
I think I missed your first question. I apologise.
Q
Dr Sellars: I can add a little bit. Your question about auditing systems is very pertinent to the experience we went through at the end of the 1990s with the Y2K bug. Lots of companies were required to do an audit: financial institutions, companies using software-driven automation, were required to do an audit of their systems in response to that threat. It would probably be a fairly similar exercise for telecoms. I am sure they must have a register of the equipment they use.
Nick has made all the points about software shelf-life, but from a hardware point of view, there is a capacity that the hardware can deliver. My understanding is that as they put in a new service such as 5G, it is quite often built on existing infrastructure such as 4G and 3G. Clearly, each piece of hardware has a bandwidth and can support a certain amount of data throughput, so in terms of shelf-life, I would argue that it is mostly capacity-related. I do not think there are any major concerns about things wearing out as such from a hardware perspective.
Q
Heba Bevan: If we are auditing basically hardware, it becomes very difficult. You can audit maybe 10 main base stations, 20 or even 100, but every single one of them is quite hard and intensive, and it might also be locking to a certain competition in who the supplier is. If you are getting it from one supplier, you are able to audit that supplier, but if you are getting it from multiple suppliers, how would you audit every single supplier? Would you go 10%, or 20%?
The other thing I would like to highlight is that back in early 2018, Intel had a problem with the security of one of its chips. I can provide written evidence later on to give you the full details on that. One of their chips, as well as AMD and Arm, had a problem, and they knew about it, but it has not been fixed. The problem is that if you put it out there into the community, it becomes a major threat, and a bigger threat.
In terms of hardware, as long as it is supported, maintained and updated on a regular basis, its shelf life will be built to a certain recognised standard. However, if it has not been built to a certain recognised standard and it has not been tested and maintained yearly, it will come to an end very quickly and will need to be replaced. We have a huge problem with a lot of networking in smaller areas and bigger areas in the UK. Some of the areas have an amazing network and speed, and some of them are very bad and are actually degrading. We can see that even in education. Schools currently rely on these networks to have Zooms and Teams meetings, as well as normal meetings. Some areas have not been maintained as other areas in the UK have. Maintaining and auditing them is bound up with the maintenance and making sure that, whoever the supplier is, they maintain the system on a regular basis, update the software and keep a track on that.
I am sure Members would appreciate further details on the Intel example, if you can provide that.
That would be helpful, thank you.
Dr Sellars: I agree with the points made by the other two witnesses.
Q
“I am delighted UtterBerry has been selected as a champion of British technology excellence through the TechHub programme—just one of the new initiatives we have launched in partnership with industry and the Chinese government.”
That is from Sherry Madera, the deputy director general of the Department of International Trade at the British Embassy in China. Are our firms still being pushed to share communications technology with China as this Bill is going through?
Heba Bevan: No, we worked with the Department of International Trade in 2016. The Chongqing Government were interested in having UtterBerry there. We spoke with our lawyers about the amount of IP we have and decided that we would not pursue this. We do not manufacture anything in China. Everything in UtterBerry is manufactured in the UK—software, hardware and everything we do. We mainly have graduates from the UK. We have European engineers, but recruitment is mainly kept closer, because of the IP sensitivity.