Telecommunications (Security) Bill

Written evidence submitted by Heba Bevan OBE, CEO and Founder, Utterberry Ltd. (TSB09)

Dear Members of the Telecommunications (Security) Bill Committee,

It was my pleasure to give evidence today.

As requested during the course of session, I am providing follow up evidence below.

Hardware and software security flaws

· Security flaws are regularly discovered within systems in both hardware and software. Often these flaws are not discovered until (i) hacking has been discovered and an audit of the events takes place, (ii) intensive study/testing/usage of the system takes place over many years, revealing the flaws, or (iii) the development of new technology enables us to discover security flaws in older technology.

· In 2018, fundamental security flaws known as Meltdown and Spectre were discovered in central processing units (CPUs) from Intel and other companies. This required Microsoft, Linux and other operating system providers to redesign their kernels and update the operating systems as soon as possible to work around the hardware flaws (TheRegister.com, 4 Jan 2018,

https://www.theregister.com/2018/01/04/intel_amd_arm_cpu_vulnerability/, accessed on 19 Jan 2021). The economic impact and the number of users that came under attack through these flaws before they were discovered and before the flaws were addressed can never be fully known.

· So long as (i) hardware is built in a ruggedised manner, (ii) hardware and software are security tested, and (iii) a rigorous regime of regular maintenance is followed (e.g. software and hardware updates), security will be enhanced. If that is not done, there will be system degradation and greater numbers of long-term security flaws that facilitate cyberattacks.

· Standards of testing and maintenance are critically important to identify and eliminate vulnerabilities. Telecommunications network providers typically follow certain national and international standards and practices when auditing, testing and maintaining systems. The UK should not just follow existing standards. New, innovative and continuous testing regimes should be created, encouraged and adopted to uncover and remedy security flaws. Part of the £250million diversification funding should be invested in this area with the aim of making the UK the world leader in preventing cyberattacks.

Investment of the £250 million Diversification fund

· I would like to highlight that the UK will need all of the investment that it can muster to build the next generation of resilient, secure networks.

· As mentioned above, a portion of the fund should be spent on creating new, innovative testing and maintenance methodologies for software and hardware systems.

· It would be great to use the investment to reduce existing disparities between local economies within the UK by investing in the North and West of the UK, as well as in rural areas generally, generating jobs to boost our economy.

· The UK should establish at least a small capability to fabricate its own chips. I do appreciate that it would require a much bigger investment than £250 million, however.

19 January 2021

 

Prepared 21st January 2021