Mitigating security risks: we speak to Huawei US security chief

My role of CSO means I’m responsible for cybersecurity and privacy activities in the U.S. I chair the Huawei USA Cyber Security and User Privacy Committee, which consists of representatives from different business groups and departments, to help make sure that we understand and fully comply with the requirements of cybersecurity and privacy and that we can protect our customers and protect Huawei, with a particular focus on how we request and access customer networks and customer data. 

This committee serves a cyber/privacy risk management compliance function and aims to help develop the evolving requirements. We want to make sure we abide by the law and regulations in the U.S., and that we meet unique customer requirements and needs. This involves our carrier business, enterprise business and consumer device business. The committee also works very closely with our government relations and public relations team in terms of messaging and understanding specific requirements.

I am very familiar with the statutory and regulatory framework in the U.S. for cyber security and privacy, as well as the risk-based approach that is recommended by USG, individual agencies, and the public-private partnership and of the FCC federal advisory group for communications (CSRIC – Cyber Security, Reliability and Resilience Committee). An effective and transparent, risk-based approach is necessary to ensure assurance and transparency in the telecommunications industry in the U.S. and globally, not just the requirements of an equipment vendor, like Huawei, supplying the telecom operators in the U.S.  

Cybersecurity is not a one-person job. Connected networks touch every member of the communications supply chain. The government can help encourage collaboration between the public and private sector to develop and strengthen applicable standards and recommended best practices, including the value of using a risk-analytics tool such as the NIST Cyber Security Framework (CSF) to set requirements and assess risk. This helps to determine the applicable risk profile of an organization, informed by their business objectives and risk environment, and inform decision-making and a path toward achieving a more appropriate risk profile.

In this regard the government can promote understanding of the shared responsibility of the telecom operators and the equipment vendors in assessing and managing risk and promoting resilience – all in a transparent manner. A comprehensive approach is necessary given the capabilities of malicious actors in cyberspace and the vulnerabilities of networks and systems. Accordingly, the testing of only one company’s products obviously does not constitute the comprehensive approach necessary to manage cybersecurity risk, and it does little, if anything, to contribute to the development of a universal framework or set of internationally recognized standards and processes for network risk management or independently confirmed assurance and conformance to applicable standards and best practices. 

In this regard, governments can work to promote an assurance framework that enables and requires mechanisms to provide objective and transparent assurance as to which products are currently worthy of trust. In short, we need an assurance framework and mechanisms to enable “trust through verification” – in which everyone is subject to the same standards and other requirements.

Independent testing of products and software is an essential part of an effective and transparent assurance framework that should be applicable to telecom operators, equipment vendors, and other third-party providers. Given the level of risk to information and communications networks, it is important to have third-party organizations evaluate and confirm the security of products and the conduct of providers across the ecosystem, so that users and governments have an objective and transparent basis for knowing what products are trustworthy.

Security assurance frameworks, steeped in internationally recognized standards and independent conformance programs, help to protect governments, businesses, and consumers from risks across the board and promote the resilience of our communications networks and systems. These frameworks can provide continuing input to update requirements as the threat landscape evolves.

The biggest threats are national security threats designed to steal intellectual property and enable hostile nation states to shut down key networks and systems essential to the proper functioning of government and critical infrastructure. Ransomware attacks highlight the importance to government and private organizations of available and accurate information on which the proper functioning of business and government depend. Key data must be protected in secure and accurate form, as well as backed up frequently to ensure it can be promptly recovered to restore key services. 

Enhanced computer analysis enabled by big data and AI will help in the early and accurate detection of vulnerabilities and concerning activity. It will prompt a response to that detection, helping to minimize risk, reduce the potential consequences of hostile penetration, and promote resilience of networks and systems. It also hoped that AI will make it easier to predict, detect, alert, and mitigate concerning activities well before the penetration of perimeters, including the identification of bots and botnets and help with attribution and blocking of attacks and concerning activities.