Speaking at an event in Brussels on Wednesday, Ciaran Martin said "sustainable diversity in the supplier market" is one of three "technical pre-conditions for secure 5G networks" of the future.
"Should the supplier market consolidate to such an extent that there are only a tiny number of viable options, that will not make for good cybersecurity, whether those options are western, Chinese, or from anywhere else," Martin said. "Any company in an excessively dominant market position will not be incentivised to take cybersecurity seriously. And at the same time that company could also become the prime target for attack for the globe’s most potent cyber attackers."
Martin also said that there is also a need for "higher standards of cybersecurity across the entire telecommunications sector", and that the networks themselves must be built in a way that makes them "more resilient".
"We must assume that a global supply chain will have multiple vulnerabilities, whether intentional or, more likely, unintentional," Martin said. "Networks are built by human beings and human beings make mistakes. No network can be totally safe. From the point of view of managing corporate risk, or, in our case, national risk, it essentially doesn’t matter whether the vulnerabilities are deliberate or the result of honest mistakes. What matters is that those vulnerabilities can and will be exploited."
"But the networks can and should be designed in a way that will cauterise the damage. That is what we need to do. Put it another way, if you’ve built a telecommunications network in a way that the compromise of one supplier can cause catastrophic national harm, then you’ve built it the wrong way. Resilience is key," he said.
The UK government opened a review of the security of the UK's telecoms infrastructure last autumn.
The NCSC is engaged in work to ensure future 5G networks are secure. 5G has been widely tipped to offer the level of mobile connectivity required to support smart cities, driverless cars and the mainstream adoption of the 'internet of things' more generally. Martin said, though, that 5G security is "complicated".
"[5G] hugely accelerates the pace of technological change but there is no cliff edge transition," Martin said. "It will change the way we think about risk because of what will, over time, depend on it. But it doesn’t change immutable concepts of security or the laws of science. And whilst key to the virtual world, it requires a huge amount of complex physical infrastructure. And how that physical infrastructure is configured varies from country to country, not least depending on the size of the country’s landmass and is population. And it is not a fresh start. It has to build on existing telecommunications infrastructure. Understanding these complexities is essential."
"5G security is not a simple, binary choice. It is about complex technical functions, a complex global threat environment, and a complex global market. One thing is clear: the way that market works has to change. Security must be a bigger consideration in market decisions in the future than it has been to date. We will help fix that," he said.