Media coverage of cyber security trends typically cites a range of problems facing CISOs, from an expanding attack surface (everyone’s working remotely) to digital supply chain risk.
But beyond the ransomware attacks and other day-to-day crises, there is a larger issue to be dealt with: the broad-scale erosion of societal trust in technology. There needs to be an objective and transparent basis for knowing what products and services are worthy of trust and will be resilient enough to inevitable attacks.
Whether people trust technology might seem to fall outside the remit of the average CISO, but trust can become a mission-critical issue for an organization – as it is for Huawei, the world’s largest maker of telecommunications equipment.
Given the complexity of technology and its pervasiveness in daily life, some may ask whether restoring trust in tech is even possible anymore. ORF, a think tank based in India, notes that today, the software in a typical car includes more than 100 million lines of code. How can anyone be sure that the potential vulnerabilities in that code are free from malicious functionality?
No panaceas are available. But when companies embrace greater transparency, they help the public assess the reliability of an organization’s cybersecurity strategy. The question is how to do this.
Clear and uniform standards
An important step is to acknowledge that cyber security is a responsibility shared by equipment vendors, other third-party suppliers, operators and their partners. All must have clear requirements to meet, preferably tied to consensus-based standards and industry best practices.
Agreed-upon standards provide clear, objective requirements. Providers of cellular, broadband, and wireless internet service need adequate visibility into conformance with those requirements, and into their day-to-day operations.
For telecom equipment, these standards already exist. For example, the Network Equipment Security Assurance Scheme (NESAS) isa globally recognized standard that can be used to evaluate and test products and solutions, but also to check on how they are developed and maintained.
NESAS was developed through a collaborative process leading to consensus; however, it is relatively new, and its ecosystem of independent test labs is not fully developed, so its standards currently provide only a baseline level of assurance. In addition, such standards are not always applied uniformly to all vendors. Given the sophisticated threat landscape, it is important that testing be conducted on all critical gear from all suppliers, no matter what their country of origin may be.
As another step toward transparency, technology vendors can set up evaluation centers in which customers can scrutinize what they are buying. For example, Huawei operates seven regional Transparency Centers in Europe, the Middle East, Asia Pacific, and North America. Such centers allow for third-party testing of Huawei products; some centers permit evaluation of our source code by customers, third-party experts, and even government experts. Evaluators can bring their own tools and their own people, and can stay until they are satisfied that the solutions are trustworthy.
Naturally, part of being transparent is disclosing vulnerabilities. Huawei and other companies comply with responsible vulnerability disclosure practices that to reduce the odds that unpatched vulnerabilities will be discovered and exploited by malicious cyber actors.
There is a continuing focus on promoting the sharing of cyber incident information as early as practicable so that private organizations and governments can connect the dots earlier in the attack lifecycle. On May 9, the Securities and Exchange Commission closed a public comment period on a proposed rule requiring publicly traded companies to disclose cyber incidents, and to detail the roles of management and the board of directors in cybersecurity policy.
As is inevitable on the path toward policy revisions dealing with important issues, the proposed rule is already generating some push-back. The Society for Corporate Governance has asked the SEC to modify the proposed rule in the following and other ways:
- delay mandated corporate disclosure of cyber incidents “so they don’t interfere with law enforcement or national security investigations”
- adjust the disclosure framework to reflect the possible “need for issuers to remediate vulnerabilities before public disclosure”
- not require issuers to speculate on the cumulative impact of previously disclosed cybersecurity incidents.
While no company wants to be overregulated, more disclosure of cyber security incidents and vulnerabilities will help rebuild trust over time. Companies should welcome this as a central element of good corporate governance necessary for shared responsibility in cyberspace.
Open source software can be helpful as well. Netflix, for example, has developed dozens of open-source cybersecurity products. Millions of households entrust the company with their personal information, including credit card details and the viewing habits of family members, and the company wants to keep its popular TV series beyond the reach of people who want to view the content without paying. Netflix has found that harnessing the world’s pool of programmers to build its security software made its data more secure.
Huawei is also a major contributor to open-source software. Jim Zemlin, Executive Director of the Linux Foundation, notes that the company “created a strategy to pick the right source projects to base their products on, and integrated open source development into their procurement process and into their actual engineering processes.” The company used the code, modified it, created products with it, and then shared the changes it made to the code with the open-source projects it got the code from in the first place. As Zemlin notes, this created “a virtuous innovation cycle, not just within Huawei, but with hundreds of other companies as well.”
What about decoupling?
Politicians talk about de-coupling: the deliberate separation of technology platforms (and even trading partners) into separate camps, with China on one side and the US and its allies on the other. This, they say, will split the world into two distinct groups: the Trusted and the Untrusted.
But some experts believe a complete decoupling will not happen – that it is more likely that globalization will be reshaped. For example, a new report by geo-economic and national security consultancy Darkhorse Global says globalization has created “an irrevocably interconnected ecosystem for telecommunications.” In semiconductors, Intel CEO Pat Gelsinger said in a recent interview that the US will “never” be independent of foreign suppliers. European Commission head Ursula von der Leyen says it is more likely that global semiconductor production will undergo a geographic rebalancing, shifting from about 80% of production in Asia(and 20% in U.S. and Europe) to about 50%, with the remaining half done in Europe and the U.S. (20%/30%). A partial decoupling may take place; a total decoupling will not.
While perfect solutions will remain forever out of reach, greater transparency is one method of appropriately managing risk and promoting resilience. Practiced consistently over time, this approach will start to rebuild public trust in the digital technology and the institutions that rely on it.
Andy Purdy is Chief Security Officer at Huawei Technologies U.S.A