Digital threats examined at Munich Cyber Security Conference
February 14, 2020It took all of 97 minutes before the H-word was even uttered. The name of the Chinese telecoms manufacturer Huawei had been the elephant in the room from the moment the 250-strong audience of experts took their seats. The concerns around this company illustrate a rift in the cybersecurity community — many of whose leading lights from around the world were gathered on Thursday in a hotel conference room in the Bavarian capital for the Munich Cyber Security Conference (MCSC).
Read more: What can we expect from this year's Munich Security Conference?
Next-generation trust
The Trump administration has been lobbying other countries to ban Huawei equipment from their next-generation telecoms networks. It says because '5G' will be so fast, it will make all kinds of new things possible — such as self-driving cars or robot surgeons in hospitals. And that will mean the need to trust the infrastructure will be all the greater.
But in Europe, politicians are inclined to be more accepting of Huawei. Members of Angela Merkel's party wrote this week in a policy paper that a ban would be of no use: "Even with comprehensive technical checks, security risks cannot be eliminated completely."
The UK government has prohibited Huawei from supplying equipment in parts of its 5G network. Speaking in Munich, Ciaran Martin, the CEO of Britain's National Cyber Security Centre, sounded almost apologetic: "This is a UK specific decision for UK reasons. It fits the context of the UK at this particular time. We're not asking anybody to copy it."
And he added a more fundamental insight: "We assume every bit of kit, wherever it is, whoever made it, whatever it does, can fail, accidentally or through malicious activity. That is the way in which we balance risk."
Read more: ToTok app is a 'spying tool' for UAE
Known unknowns
That theme of potential failure of technology loomed large at this year's MCSC, a one-day brainstorm held just ahead of the main Munich Security Conference. It bore a gloomy title: "Failsafe — Act brave." There were worries that artificial intelligence has become too clever, deepfakes too believable and systems as diverse as pacemakers and autonomous vehicles too exposed to manipulation through the internet.
Panels from industry, governments and academia fretted about "Protecting Critical Infrastructure” or the "Known Unknowns” of the Internet of Things. Briefly, one could be forgiven for thinking the world was going to hell in a handcart.
Read more: EU rules out Huawei ban — but maps out strict rules on 5G
Defending the 'splinternet'
Earlier Margaritis Schinas, the new EU Commission Vice-President with responsibility for security, took to the stage to warn: "Europe's approach to security remains fragmented."
After listing some of the perils - attempts to influence elections, to steal data from companies and individuals, and disrupt civil society - he intoned the axiom of European cooperation: "No country is capable of tackling this challenge alone."
That sentiment was echoed by Sandra Joyce, Senior Vice President for Global Intelligence at FireEye, a US cyber-security firm that claims to offer "nation-state grade threat intelligence."
Speaking to DW, she said: "State actors are trying to create psychological effects, and that means disrupting the services we take for granted. ... Governments are taking these threats seriously, but many are still grappling with the importance of the private sector to this problem. No government will effectively handle these problems alone. "
While autocratic states have sometimes tried to hive off their networks into separate national 'splinternets,' the democratic instinct is to cooperate. Schinas, whose portfolio in the Brussels Commission is entitled 'Promoting the European Way of Life', told the conference it was time to switch from a culture of "need to know” to "need to share” — a principle he said will be a key part of the security policy to be launched by Commission President Ursula von der Leyen later this year.
But governments do not always like sharing sensitive data about their vulnerabilities. As Schinas put it: "We need to build trust."
Read more: Is 2020 finally the year for German 5G?
Everything connects
Amid all the soul-searching about policies, there were plenty of concrete examples of how vulnerable the emerging digital future may be, but also of the opportunity it holds.
Schinas envisioned a world 500 billion interconnected devices, where "practically everything will be connected to everything." That creates a need, he said, for Europe to create a new competence center to shield industry from attacks. It will mean new skills, and the workforce to go with it.
Kristie Canegallo of Google, who has worked on the 2019 EU and Indian elections, reported that her company sees countless cases of state-sponsored phishing, maps altered to show polling stations in the wrong location, or even false claims that candidates have died. But she said it is possible to get the better of such tricksters: "We've got teams around the world working to monitor and disrupt inauthentic activity, disinformation campaigns, coordinated attacks and other forms of abuse 24/7."
The participants at the MCSC acknowledged that the digital space is inherently risky and attractive to shady operators, whether their motives are political, financial or merely to disrupt. Opinions vary on whether regulation is the answer, or just better technology, but many speakers were determined to strike a note of optimism.
As Juhan Lepassaar, Executive Director of ENISA, the EU Agency for Cybersecurity, told DW:
"There are more than one hundred different types of assets around 5G that can be attacked. From the defender point of view, that means you have a huge in-tray, whereas the offender can just pick one. You never know which one. There is an imbalance. But by raising the common level of resilience - the battle becomes winnable."