Over the last few months, a consistent theme in the media has been the threat posed by Chinese security and network solutions. It's unsurprising that the birth of China as a modern post industrial giant strikes fear into the hearts of many - particularly countries and companies who would see China, or it's industry, as a threat. It's also entirely rational to assume that foreign agencies will use all the tricks in the book to obtain a national advantage - most countries have a long history of doing just that. Minus the trappings of 20th century world leadership, China may well be less reserved about it than others such as the USA or Britain. There is no doubt whatsoever, that the Cyber Security threat has crept upon us quietly over the last decade, without being noticed. Only in the last few years have International governments started to acknowledge the systematic nature of the threat and the serious focus it requires.
This is a fair and qualified justification for greater investment in the Cyber Security arena, for public debate, and for reprioritisation of national defence programmes - not for politicisation, but to serve a very real, tangible defence against what is now an ever present, and current threat.
However, the nature of current headlines makes it reasonable to conclude that too much of the current cyber security agenda is now being sold on Fear, Uncertainty and Doubt – the same ‘FUD’ that the Information Security profession has spent the last few decades trying to shed.
The furore around Huawei is a perfect example – by virtue of its nationality the company has been blocked from bidding for major contracts in several countries, and been subjected to such criticism from the US that picking a Chinese security supplier must now seem to many businesses like an act of treachery. There is no evidence to suggest that they have been anything but open about their technology, and no-one has yet demonstrated that their products demonstrate a threat. Could a rational caution be going too far and closing the door to technology that could offer a competitive advantage? With not all the facts in the public domain it's hard to say for certain - but from the consumer media, it looks that way.
Certainly, any information security manager attempting to build a business case on the back of insubstantial evidence would get a less sympathetic hearing from a corporate board than the world's press appears to be giving to current claims.
The worry remains that government agencies are playing on fears that often appear unfounded to the public, or at least unproven. By doing so, we may risk undermining the case for national cyber security when it most matters; just as selling FUD in business has made it harder to sell investment in security today.
Continuous low level espionage attempts have always taken place, and always will, and the only thing that has changed is the means, and ease, of doing it. That does not justify escalating espionage attacks to the status of ‘CyberWar’ simply because they are committed with computers, but nevertheless does need to acknowledge that some systems could, one day be leveraged to underpin Cyber Aggression against a designated target. To access this, we need a more mature debate that moves away from FUD and towards an evidence based approach.
What is required to address the underlying threat is not a focus on fear, but a consistent resolve across governments to build security into the national business model at every step. Unfortunately, this is not an exciting answer. Security, when it works, is like accountancy - invisible and boring. Responding to cyber threats does not require a global panic, but simply the building of security into how we all operate organisations and live our lives, and the development by governments of high expectations across both government and industry, combined with a security aware culture.
The current inability to protect against cyber threats will not be solved by vast central programmes and costly cyber-weapons; it may be solved by enforcing consistent expectations and by building security awareness and technical competence into primary school curriculums.
Certainly, it will not be solved by FUD.