At a glance.
- Evolution of Indian policy on 5G security.
- Supply chain security policy in the UK.
- More industry comment on the US Executive Order on improving cybersecurity.
- Comment on cybersecurity bills pending in the US House.
India’s evolution on 5G supply chain security.
Foreign Policy lays out a rough timeline of India’s shift away from Beijing towards Washington on the 5G question:
- New Delhi embraces strategic ambiguity on which vendors will participate in its networks
- India’s Communications Minister declares the country’s 5G trials open to all
- A science and technology-oriented committee is convened to examine Chinese suppliers
- A security-oriented committee is convened to examine Chinese suppliers
- The Galwan Valley clash sours relations with Beijing
- New Delhi embargoes hundreds of Chinese apps
- New Delhi bolsters technological ties with Australia, the EU, and the US
- Huawei and ZTE do not participate in India’s 5G trials
Foreign Policy forecasts that the cyber domain and its technology and governance may fracture into Washington and Beijing-led factions separated by a “digital iron curtain.”
Concerns about digital supply chain security in the UK.
Britain’s Department for Digital, Culture, Media and Sport (DCMS) is asking industry leaders how to strengthen digital supply chain and third-party IT service security, Computing reports. The Department discovered that just over a tenth of organizations examine vendors’ security risks, while only five percent address general supply chain security.
Digital Infrastructure Minister Matt Warman marked “a long history of outsourcing of critical services,” and urged organizations to “secure their mission critical supply chains - and remember they cannot outsource risk." Stricter rules for managed service providers (MSPs) may be on the way following the two month review. One observer said the plan doesn’t do enough to address software supply chain security risks.
BleepingComputer notes that the call for counsel supports the UK’s National Cyber Security Strategy by, per a policy paper, assessing supply chain risk management approaches and obstacles, with a focus on the far-reaching functions of MSPs.
BBC News worries about supply chain risks at the R&D stage, questioning Huawei’s motives for “partnering” with thirty-five UK universities and funding research centers across the country. The details of these partnerships (which numbered 16 thousand in 2020) are often kept vague, or silent. "We give universities money, technology and platforms for research," Huawei's UK VP explained, "and we take awareness of the direction of the future."
More industry comment on the US Executive Order.
Ryan Yackel, VP of product marketing at Keyfactor, wrote to emphasize that public-private cooperation is essential if the measure is to have its intended effect:
"There's no doubt that malicious entities, from state-sponsored threat groups to basement-dwelling hackers, are growing more sophisticated, and they are increasingly targeting our critical infrastructure. There has been an awakening for the importance of modernizing cybersecurity in our critical infrastructure - and it's about time.
"While Keyfactor commends the U.S. government for its swift action to modernize the federal government’s cybersecurity, federal action alone is not enough, and executive orders only go so far. A cohesive strategy cannot be accomplished without equal partnership and participation by the government and private industry.
"This acknowledgment is a step in the right direction. However, this EO recognizes the reality that most of ‘our domestic critical infrastructure is owned and operated by the private sector.’ So, while the administration can encourage the private sector to follow the federal government’s direction, they need to find ways to encourage and incent participation from the private sector.”
Comment on cybersecurity bills before the US House.
Several bills affecting cybersecurity have this week passed out of committee in the US House of Representatives. Trevor Morgan, product manager with comforte AG, commented that, if nothing else, the measures represent an index of how seriously government and industry should treat the challenges they face:
“The five bills passed by the U.S. House Committee on Homeland Security to improve defensive capabilities against cyberattacks dramatically underscore the level of seriousness that both governments and enterprises need to adopt in the face of mounting cyber-threats. As leaks and breaches wreak havoc on infrastructures, supply chains, and even national security, we all need to understand that cybersecurity isn’t an arcane technical topic just for IT professionals to deal with—we each have a vested interest in keeping our own personal data, our employers’ and customers’ sensitive information, and our infrastructure-centered and national-security secrets safe from harm.
"It starts local with our own data-security-mindedness and then grows from there into a culture of data security in our businesses and governments. Any enterprise that isn’t heeding the U.S. Government’s actions and reassessing their own data security strategy and posture—including investigating more data-centric methods which protect the data itself no matter where it goes or who intercepts it—is being remiss and will be in for a world of hurt if the unthinkable occurs.
"As ongoing incidents and these responses demonstrate, the unthinkable is quickly becoming the highly likely for organizations at all levels.”