A “balkanization” of tech – driven by various countries’ needs to be technologically independent from their strategic competitors and adversaries – is underway, delegates to the CyberUK conference heard on Tuesday.
Ian Levy, technical director of the UK’s National Cyber Security Centre (NCSC), said that how technology is designed, standardized, and built is changing, with two camps emerging.
One camp, more aligned with the historic development of the internet, wants open – or alternatively, market-driven – standards that offer security, privacy, and interoperability.
Broadly speaking this camp is made up of the US, Europe, and other Western countries.
A second camp, made up of countries such as Russia and China, wants a system that offers centralized control.
Interoperability has been challenged by the emergence of two ecosystems in the key technology sectors of 5G telecoms and semiconductors, Levy said during the closing plenary session on day one of CyberUK, which is taking place this week in Newport, Wales.
Levy has previously raised concerns that around 80%, or four in five, of the chairs and vice-chairs in telecom equipment standard bodies represent Chinese firms.
Great power conflict
This is a concern because technology development is becoming an element in wider struggles between great powers. China, for example, is rolling out its tech to build the infrastructure of its partners in Africa and across Asia as part of its Belt and Road initiative.
Countries such as Pakistan get investment in building their infrastructure from China but at the cost of becoming both financially and technologically dependent on the country.
Gwenda Fong, assistant chief executive, policy and corporate development, Cyber Security Agency of Singapore, said that while large countries such as the UK and US have the resources to build their own tech stack, this isn’t an option for smaller countries such as her own island state.
“We have to hope for technological interoperability, but we are seeing fragmentation and less common interest in protecting systems,” Fong said. “This is damaging stability.”
Levy warned that while choosing open systems will remain possible, they will become a “lot more expensive” and “difficult to manage” because of tech balkinization.
His advised that organizations need to become more involved in shaping the development of technology. Enterprises, meanwhile, should use their purchasing power to insist on trust, data portability, and interoperability.
Measure for measure
During the plenary session – entitled ‘Will we still be able to do cyber security in five years?” – the NCSC’s Levy aired his wider critique of how the cybersecurity industry works and, in particular, how it measures progress.
Levy argued that the industry ought to be more scientific in its approach, but this is a problem because we don’t have a methodology to measure change, much less relevant data.
For example, the industry has failed to define what it means by terms like resilience. “Resilience of what? The system or the stack,” Levy said.
“We’re not very good at cybersecurity and… not rigorous about measurement,” he concluded.