Huawei, the China-based, $50 billion, international telecom giant, wants to collaborate.
Not that the concept is new - collaboration has been a buzzword in cyber security for some time. The goal is what the term implies: For the good guys to have any chance of beating the bad guys, they are going to have to work together.
But its national profile went up last month with the U.S. Senate’s passage of CISA – the Cybersecurity Information Sharing Act – aimed at promoting the sharing of cyber threat information between the private and public sectors.
And Huawei hopes to raise its profile even more, to the global level.
In a series of white papers starting in 2012, the company argues that cyber security, “is not a single-country or specific-company issue. All stakeholders – governments and industry alike – need to recognize that cyber security is a shared global problem requiring risk-based approaches, best practices and international cooperation to address the challenge.”
Or as Antonio Ierano, Huawei’s head of enterprise cyber security, put it in an interview, “We see increased sensibility regarding cyber security coming from our customers – they’re seeing a rising amount of vulnerabilities and hacking problems.
“But they don’t see an easy way to address that concern, because there aren’t common and comprehensive standards to help all of us – vendors, buyers and users.”
Ierano, in a joint interview with colleagues Ulf Feger, CSO of Huawei Technologies in Germany, and Andy Purdy, CSO of Huawei Technologies USA, noted that there have been a number of legislative efforts throughout the world regarding cyber security, “but sometimes they conflict with one another. We don’t see a common approach.”
Its most recent white paper on the topic, “Cyber Security Perspectives,” is an effort to promote that collaboration, they said, with, “the Top 100 things our customers talk to us about in relation to cyber security regarding their vendors.”
The need for a global approach, they said, should be obvious, since the economy is obviously global – products, particularly in IT and ICT (Information and Communications Technology), are never made entirely in a single country. “The equipment and software are likely to be designed, developed and manufactured via tens, if not hundreds, of companies from around the world,” the company’s 2012 white paper said.
Taking up the thread, a second white paper in October 2013, noted that, “the world’s ICT supply chain is intertwined, and it is not possible to label any ICT equipment as ‘foreign.’”
Huawei is an example of that, they said, with up to 70 percent of the components in the company’s technology portfolio coming from a global supply chain – the U.S. is the largest provider of components, at 32 percent.
“We don’t have the solution to every problem,” Ierano said, “but solutions can be found with collaboration. I’m not talking about products but process, practices and frameworks that help us address this kind of environment in a comprehensive, sound way.”
Of course, there are numerous standards bodies in existence – the Payment Card Industry Data Security Standard (PCI DSS) and National Institute of Standards and Technology (NIST) are just two of the more prominent – Huawei said it belongs to 150 industry standards organizations.
Since they all tend to have a somewhat different focus, it sounds like that could be part of the problem – too many organizations muddling the “common approach” goal.
But Ierano said it is a good thing to have lots of organizations involved. “What is lacking is the kind of communication – exchanging experience and ideas that will lead to common agreement,” he said.
Purdy said the goal is not for every organization to do the same thing. He noted that NIST is, “a risk-analytics tool. It references standards from all over the world. So each organization can say what applies to it – it ties in and references multiple standards.”
Huawei’s most recent emphasis, he noted, was to “contribute to the global conversation” regarding the security of third-party contractors. “We developed a standard for the security of the supply chain when using trusted technology providers,” he said.
The company presents that in the form of a “Top 100” list of questions that an organization should at least consider asking as part of the vetting process of any third-party vendor.
They are grouped into 11 categories:
- Strategy, governance and control
- Standards and processes
- Laws and regulations
- Human resources
- Research and development
- Third-party supplier management
- Secure service delivery
- Issue, defect and vulnerability resolution
“The original list was much larger,” Feger said, adding that it was created from listening to customers and employees, from reviewing other standards bodies and reading more than 1,200 articles on standards and best practices.
The three acknowledge that even if every question on the list is answered satisfactorily, that does not guarantee airtight security.
“But these are the questions that the big customers are asking,” Feger said. “So we give them to our other customers. They are a starting point – tools they can use that are appropriate to their own risk environment.”
Simply asking the questions is not enough, either. According to the “Cyber Security Perspectives” white paper, organizations need the skill to, “understand the answer, ensure the answer is accurate, demonstrable and auditable.”
And, as the verification section puts it, “Assume nothing, believe no one, check everything.”
That kind of rigorous verification standard inevitably raises the issue of how that could be applied to Huawei as well, given regular accusations by the U.S. that both the private and public sectors in China are involved in economic espionage – stealing the intellectual property of U.S. companies.
Huawei has denied involvement in any such activity. In the 2012 white paper, it declared that, “we have never damaged any nation or had the intent to steal any national intelligence, enterprise secrets or breach personal privacy and we will never support or tolerate such activities, nor will we support any entity from any country who may wish us to undertake an activity that would be deemed illegal in any country.”
Still that issue was serious enough to be addressed just two months ago at the highest levels, when President Obama and Chinese President Xi Jinping announced an agreement that they said was aimed at eliminating economic espionage.
But a month later, security vendor CrowdStrike reported that attempted intrusions by “China-affiliated actors” had continued, although the company said they expected there would be a time lag between the agreement and a decline in espionage activity.
Asked to comment on the issue, the company would only issue a statement attributed to Bill Plummer, vice president of external affairs, which said in part, “Huawei, and companies like Huawei, have put in place stringent security assurance processes and programs – from ideation to end of life – to ensure the integrity of our networks, data and products, as well as to protect our intellectual property. Huawei was ranked No. 1 technology company last year by the WIPO PCT (World Intellectual Property Organization, Patent Cooperation Treaty) in terms of patents filed.”
The bottom line, according to Purdy, is that all companies should qualify their third-party suppliers and vendors, “from a cyber security perspective as well as quality of the product.”
“If companies don’t do it, they are giving up a part of their security,” Ierano said.