Q&A: Huawei Executive On Cyber Security As the world’s second-largest supplier of telecommunications network equipment, Huawei plays a part in the technology industry’s efforts to ensure network security around the world. But last year, some U.S. lawmakers called Huawei a potential national-security threat and recommended that U.S. telecom carriers avoid using the Chinese firm’s equipment. Huawei denied the allegations, but the company’s equipment has been effectively shut out of the U.S. market. The Shenzhen-based company, which supplies equipment to over 500 telecom carriers world-wide, has argued that allegations targeting specific suppliers based on nationality are not only counter-productive but they undermine efforts to solve actual cyber security issues. Threats to security are not defined by geographical borders, and cannot be simply attributed to specific equipment from certain countries, given the complex supply chain in the global communications industry, Huawei said. On Friday, Huawei released its latest cyber security white paper, an attempt to communicate its view on what the key issues are, what governments and companies can do to improve security and how to design global standards and solutions. The report was compiled by John Suffolk, who joined Huawei in 2011 after serving as chief information officer for the U.K. government. In an interview with The Wall Street Journal, Huawei’s senior vice president and global cyber security officer talked about the company’s view on how best to ensure cyber security. Edited excerpts: WSJ: Are there any patterns or trends in security threats? Mr. Suffolk: People who monitor cyber threats have identified a very distinct move onto mobile-based threats. As you connect more devices into your corporate or personal networks, they open up another avenue for people to come in and do whatever they want to do to your data and systems. There has been a significant increase in mobile-based malware. The reality is that people who want to break into your system will use whatever route available to them – personal computers, tablets or mobile phones. We know that there will be more citizens connecting to the Internet over the next 10 years. We know there will be more devices connected to the Internet. That just means the whole threat landscape will change dramatically. WSJ: Are governments and businesses ready to cope with such threats? Mr. Suffolk: The world isn’t ready for it. For example, a study by the Australian Signals Directorate has found that just practicing four basic things – such as fixing vulnerabilities in applications and minimizing the number of users with administrative privileges – can stop more than 80% of all the threats. But many companies today don’t even do the basics of cyber security. Companies have operational businesses to run. They are focused on generating revenue and profits and investing new products. So cyber security is not always a top business priority. It’s a bit like insurance. It becomes more of a priority when part of your building burns down or you get burgled. But cyber security does need to rise to the broad agenda because it will get tougher as more devices are connected. Sometimes people think cyber security is all too complicated and there are no solutions. It is surely difficult, but there are plenty of best practices and research that we can refer to. By doing a small number of things, you can make dramatic improvements to the protection of your technology. WSJ: Some U.S. lawmakers have claimed that Huawei’s equipment could pose a threat to national security. Mr. Suffolk: When people see Huawei’s telecom equipment, they may assume all the components come from Huawei, just because Huawei’s name is on the box. But 70% of all the components in Huawei equipment are from suppliers around the world, with the biggest portion coming from U.S. suppliers. If you ban equipment from Huawei or any specific supplier, that gives you a false sense of security. Hackers don’t pick one equipment supplier to break into the system. They sniff around everyone’s equipment. If you think you’ve solved your problem by blocking certain companies, hackers could still come in through other routes. Over time, all countries will realize that restricting suppliers is not the way forward. The only way to reduce cyber security risks is through global cooperation between governments, businesses and consumers. From Huawei’s perspective, we understand and respect any government’s efforts to perceive and assess the risks to the country. And it’s our job to satisfy all the governments we work with – we operate in over 140 countries around the world. WSJ: U.S. lawmakers have raised concerns that the Chinese government may tell Huawei what to do. Mr. Suffolk: In our latest cyber security white paper, we show how we limit the chances of any government trying to put pressure on Huawei to do wrong things. We break up the process within the company to make sure that no one person has full control of a product. Even if I write a software code, for example, I won’t have the right to compile that code into the final product. It goes through multiple levels of verification outside the people on the product team. Another question to ask is why a government or a hacker would use equipment suppliers’ products to break into someone else’s system, when it would be much easier to use more common methods like a fishing attack or malware. For example, if you added something to a software code used in our equipment to cause damage, for example, it would probably only affect one client, because network infrastructure is highly customized: the way one customer implements equipment is different from the way another customer implements it. We genuinely hope that people from technical and security sides will review and critique our white paper and question us on it, because that will help us improve our processes and products. WSJ: What is the biggest hurdle for setting up global cyber security standards? Mr. Suffolk: The biggest hurdle is that the technology industry doesn’t want mandatory global standards. Because governments and big enterprises are not using their buying power to really demand the highest level of security from network equipment suppliers, vendors are not putting their investment dollars into security unless they really need to. And among the global vendors, the spotlight has been on Huawei more than anyone else, because we are quite unique being a Chinese-headquartered business. And therefore we have to go the extra mile when it comes to security, and we are pleased to go the extra mile. But there’s no point in Huawei improving its security on its own if nobody else in the ecosystem improves their security. Governments are big spenders in the information technology industry, so if many governments got together and demanded certain security standards from all vendors, the whole industry will then shift to those new standards. And once the governments do that, enterprise clients will follow and do the same. blogs.wsj/digits/2013/10/18/qa-huawei-executive-talks-about-cyber-security/#!
Posted on: Fri, 18 Oct 2013 20:01:31 +0000
Trending Topics
Recently Viewed Topics
© 2015