Boris Johnson’s decision to bar China’s Huawei from the UK’s 5G mobile phone networks may well portend an east-west split in the architecture of the internet, according to the head of the UK National Cyber Security Centre.
Ciaran Martin, who will this month step down as chief executive of the NCSC, a branch of the signals intelligence agency GCHQ, said it now looked “less likely” that the open, “Californian” model of the internet would survive.
With Washington and Beijing increasingly at loggerheads, the Trump administration this month tightened sanctions against Huawei to stop companies selling semiconductors to the Chinese telecoms equipment maker that have been manufactured using US equipment or software.
The UK prime minister’s move last month to reverse his previous decision to give Huawei a limited role providing kit for Britain’s 5G networks was spurred by a previous round of US sanctions against Huawei.
Washington claims Beijing could use Huawei’s equipment to spy on western countries, and the US action against the company is expected to force it to turn to Chinese-made semiconductors.
58% Proportion of companies that fall victim to attacks and admit to making payments, according to a CyberEdge survey
In an interview with the Financial Times, Mr Martin said China and western countries would aim to nurture domestic technology suppliers so that they do not have to rely on foreign companies’ products.
“The Chinese will indigenise the production of microchips and semiconductors,” he added.
Mr Martin said this would impact the way the internet develops. “There are two plausible scenarios for the future of the internet geopolitically: one is we continue forward with an adapted version of the western-led system, with quite a lot of integration, particularly in the unseen parts — the physical structure, the software — with China and other non-western powers.
“Or there’s bifurcation. It is less likely that the first model survives, but it is not inevitable that we end up with the second.”
In the event of a bifurcation, Mr Martin said western countries would “need to make sure that our technological development keeps pace with, and outpaces, any competing model. That’s what really matters”.
To that end, Mr Martin welcomed the UK government’s move to increase its powers to intervene in mergers and acquisitions on national security grounds, to protect domestic tech start-ups from investment by countries that are deemed to be against Britain’s interests.
Plans by western powers to build a commercial alliance to develop an alternative to Huawei and more broadly nurture domestic supply chains — partly based around the Five Eyes intelligence grouping — would be difficult, admitted Mr Martin, but security risks necessitated a change of tack.
“It will need a lot of time and money, but discussions we’ve seen so far are encouraging,” he said. “It is hard taking an intelligence-sharing alliance like Five Eyes and moving it into communications and security, which leads you into commercial policy — but I think people recognise the imperative of doing it.”
Mr Martin is the first head of the NCSC, which was established in 2016 to address failings in the digital defences of companies and organisations across the UK.
“Every organisation now knows they need to understand cyber security risk just as they need to understand financial, legal risk and so on,” he said.
The next phase in the war against cyber crime, which will be prosecuted by Mr Martin’s successor Lindy Cameron, a senior diplomat who served in both Afghanistan and Iraq, will be to integrate security into the next generation of tech — ranging from artificial intelligence to 5G networks.
Mr Martin compared the current state of play on cyber security to the era of the early days of cars when, after an initial free-for-all, governments moved to mandate safety features.
Many of these are largely invisible to people, with the NCSC currently taking down 500,000 malign websites each year and blocking millions of “dodgy” emails before they reach users’ inboxes.
But Mr Martin said more action was needed to build resilience into critical infrastructure, citing the example of the Bank of England baking cyber security into its regulatory model to ensure financial stability. “We need to get all other sectors — energy and telecommunications — to do that as well,” he added.
He also said the government may need to consider banning the payment of ransoms by companies that fall victim to cyber extortion attacks by organised crime groups.
Mr Martin warned an increasing number of businesses were making payments to release data following a proliferation of ransomware attacks.
Although some attacks can cause billions of dollars worth of damage, such as the 2017 WannaCry infection that crippled parts of the NHS, others demand far smaller sums of a few hundred dollars and even provide customer service-style support to speed up payments.
A survey of IT business managers this year by CyberEdge, the security consultancy, found that 58 per cent of companies that fell victim to attacks admitted to making payments — a rise of almost 20 percentage points compared with 2018.
Mr Martin said the best way to solve the problem of attacks was for businesses to make “adequate backups” of their data.
But he added: “I can understand why, given the complexity of circumstances and the sensitivity of some data, why there has not yet been a law outlawing ransoms.
“It is illegal to pay a ransom to a terrorist organisation and that does not apply to other groups — but I would not be against having a look at that if ransomware continues to exist as such a chronic strategic problem.”