Sunday, September 27, 2020

More hackable things

By Ben Knight

Almost imperceptibly, the innocuous gadgets that surround us have become alive with threat. Fridges, smart electricity meters, cars, construction cranes – a bigger Internet of Things (IoT) means more hackable things: in other words, more points at which systems can be breached and disrupted.

Not only that, the pace of this change is likely to explode with the dawn of 5G technology, which potentially accelerates connectivity speeds to a level that makes all kinds of new IoT devices possible.

As Bruce Schneier, author of the terrifying book *Click Here To Kill Everybody*, likes to point out, the boundary between the online and offline worlds has long since been blurred: Cyberspace “is not a place we go to anymore, it’s a place we’re in.” That means the threats that cyber security must guard against are not just data theft or espionage, but crashing nuclear power stations, or hacked driverless cars and delivery drones – in other words, we’re in a world where cyber warfare means killing people.

But elaboration leads to vulnerability, and the speed at which the digital complexity of our critical infrastructures is mushrooming is outstripping the pace at which governments can regulate and standardize the technology. Indeed, just as governments often rely on the private sector to innovate, they also rely on them to build their own safeguards.

These were some of the themes addressed at the Munich Cyber Security Conference, the day-long tech-focussed prologue to the Munich Security Conference (MSC) in February – where Schneier was among the more alarmist participants.

While the world’s foreign ministers were still working on

their geopolitical strategy speeches on the way to the Bavarian capital, participants were there a day early to remind them, as Marina Kaljurand put it, that all ministers, whatever their department, “have to be IT ministers” now.

As former Estonian foreign minister, Kaljurand has some unique experience of cyber warfare. She was in office in 2007, when several Estonian institutions, including the parliament, were hit by a series of cyber attacks that originated from Russia. The experience focussed the minds of the Estonian government, which became among the first in Europe to carry out “table-top” exercises to simulate the effects of a catastrophic IT attack, and to coordinate the responses of various government branches.

But while table-top exercises are now more common, those lessons aren’t necessarily being learned in other governments. Cyber security experts have long worried that government agencies in Germany, the EU’s biggest country in population and economic strength, are not coordinated enough: “We’re lacking a single authority for cybersecurity,” said Oliver Rolofs, co-founder of the Cyber Security Conference. “We need an agency to orchestrate all the responses to a potential risk.”

Of course, awareness of the issue is growing. “I see that there is political attention to the topic, I see that there is much more awareness than 10 years ago,” said Kaljurand, who is now chair of the Global Commission on the Stability of Cyberspace (GCSC).

Meanwhile, the technology is about to make a huge leap forward. The dawn of 5G offers new advantages to certain countries, and at the moment that means specifically China, home of Huawei, a company whose telecommunications expertise almost makes it a geopolitical player in its own right.

That impression is enhanced by US President Donald Trump’s paranoia about the telecom giant: he recently threatened to issue an executive order to ban Huawei from selling advanced telecommunications equipment in the US. Indeed, Washington insiders have said that the only reason he hasn’t done so already is concern he may upset delicate trade negotiations with the country.

Other reports have emerged of a hidden battle between US intelligence agencies and Huawei, whose CFO was arrested in Canada, while a Huawei employee was also arrested in China. Many fear the company can be used by the Chinese government to gain access to critical infrastructure – allowing Beijing to dangle a digital sword of Damocles over rival superpowers. That fear has recently spread to Europe. Germany is currently locked in a debate over whether to use Huawei technology to boost its 5G network, while the UK and Canada, both members of the “Five Eyes” intelligence alliance, have already said they would be open to using Huawei equipment.

The solution, as Andreas Könen, director general of cyber and information security in the German Interior Ministry, sees it, is to have “more IT that is produced in Europe”. This would help to allay the fear that technology bought from elsewhere could have so-called “backdoors” built into it: portals that allow hackers who know they’re there to access systems.

At the moment, though, with Chinese tech supremacy apparently unquestioned, that seems to be wishful thinking.

Ben Knight
is a freelance journalist based in Berlin.

Security Briefs