Chip bans not enough to secure critical networks
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Governments worldwide are banning the use of foreign hardware in critical infrastructure over national security fears. But experts in global cyber threats are questioning the effectiveness of a strategy that may only increase geopolitical tension — while leaving vulnerabilities elsewhere.
In May, China announced that domestic infrastructure operators would no longer be allowed to acquire computer chips or components from American semiconductor company Micron Technology, due to “serious network security risks”.
This prompted the US commerce department to say China’s decision had “no basis in fact” and was “inconsistent with [its] assertions that it is opening its markets and is committed to a transparent regulatory framework”.
However, China is not alone in implementing component bans on the basis of security assessments. The US government, itself, has long taken a hard line on Chinese tech companies, such as Huawei and ZTE. Donald Trump banned the use of their products in federal departments during his presidency, and Joe Biden’s administration has since tightened these restrictions.
Similarly, the EU has advised its member states not to use telecommunications equipment from Huawei and ZTE across their 5G networks, in a bid to strengthen bloc-wide security. And the UK is in the process of removing Huawei technology from its 5G network, “in response to US sanctions” related to Chinese technology.
“Western governments are exercising legitimate levers to de-risk their cyber security and critical infrastructure concerns,” says Alastair MacGibbon, chief strategy officer at cyber security company CyberCX. But he suggests that China’s bans on western tech are likely “more retaliatory in nature” and “a fig leaf at best”.
Some see other rationales for China’s cyber policy. Alan Calder, chief executive of governance, risk management and compliance consultancy GRC International Group, believes that China’s Micron ban shows it wants to be less dependent on US tech as it vies for “global supremacy” and prepares for potential Sino-American hostilities.
“It [China] doesn’t want to be in a position where its industrial capability is constrained by reliance on critical components produced by its prime adversary,” he argues.
However, Chris Grove, director of cyber security strategy at cyber security software company Nozomi Networks, suggests the Chinese Micron ban was motivated more by financial gains than national security fears.
“By closing Micron out, they are able to carve out a corner in an industry that they previously were unable to successfully compete in with their semiconductors,” he says. Grove thinks it may ultimately backfire, though, if overseas companies move their manufacturing elsewhere.
But even where hardware bans are genuinely intended to protect critical infrastructure from cyber attacks, they may not have the desired effect.
Bharat Mistry, technical director at cloud and endpoint security company Trend Micro, calls it a “silver bullet” approach and warns that nation-state hackers can breach critical infrastructure using other methods.
For example, they can leverage vulnerabilities in outdated software or conduct social engineering attacks that “trick the victim into either giving up sensitive information or taking actions that compromise their security posture”.
Yuval Wollman, ex-director-general of the Israeli Intelligence Ministry and president of software provider CyberProof, agrees that the choice of hardware is only a small part of improving cyber security for national infrastructure.
Implementing an effective incident response plan that defines “clear roles, communication protocols and backups” and teaching employees how to spot cyber attacks are key steps in strengthening national infrastructure systems, Wollman says.
He also advises national infrastructure operators to invest in firewall and intrusion detection systems to help identify and mitigate cyber threats. And they should perform regular software updates so that hackers cannot use software vulnerabilities as backdoors into critical infrastructure systems.
Cyber attacks will also change in future, as criminals and nation states increasingly harness artificial intelligence to automate their attacks. Building defences against this technology — rather than hardware — will therefore be more important to maintaining national security over coming decades.
“The cyber risks are just one element [of foreign tech bans],” says Katell Thielemann, distinguished vice-president analyst at market research provider Gartner. “Bigger geopolitical competitive forces cannot be ignored and will continue to play out on other technological fronts such as AI, quantum computing, space systems or biotech.”