I attended a meeting this morning where in passing there was a reference to the new British Telecom network upgrade (21CN) that is now underway. The presentation had just included a warning to British businessmen travelling to China (after all, even a senior No10 aide had been caught). Then it was pointed out that a key component of 21CN was manufactured in China by a manufacturer with close links (don”t they all?) to the Chinese Government, that Government departments and most businesses allowed at least some of their key data or their voice communications to go over BT networks. So by implication any malign intervention wouldn”t require a honey-trap on someone visiting China but could be done remotely via the components in 21CN.
Apparently, one of the suppliers of 21CN”s Multiservice Access Nodes (and let”s be honest, I am not sure precisely what these are, but they sound important) are Huawei Technologies. Huawei promise that their success in winning the contract will create “many new jobs in the UK”.
Obviously, it is possible for people to be paranoid (and many are) that anything electronic manufactured in China (or anywhere else that we don”t trust this week) might contain “hidden” code capable of broadcasting back the contents of communications or even allowing control of equipment to be passed to those with malign intent overseas. But as we know being paranoid, doesn”t mean that people aren”t out to get you.
So how worried should we be about the security of British business and of the UK”s critical national infrastructure?
I cannot assess the real scale of the threat, although there does seem to be a growing consensus that the Chinese Government are building up their capacity to wage cyber war and that there is the intent to achieve cyber dominance by 2050. The Chinese are certainly investing heavily in high technology and there is substantial US concern about the Chinese capacity for conventional and industrial espionage by electronic means.
What I am clear about is that as a nation we do not take information security as seriously as we should – and this applies both in the public sector but also in the private sector. If there is a threat from BT”s 21CN, it may now be too late to do anything about it, and that leaves the real question what is being put in place to ensure that the threat is being mitigated.