The ongoing trade war between the US and China has affected businesses from both countries but no company has faced the level of scrutiny that the Chinese telecoms giant Huawei has.
Huawei has been at the center of a global debate that has seen President Trump sign an executive order banning American companies from doing business with the firm and other foreign suppliers that could potentially pose a risk to national security.
Despite the onoging turmoil, Huawei continues to operate a US branch that provides solutions for consumers, enterprise businesses and telecoms across the country.
TechRadar Pro spoke with Huawei USA’s Chief Security Officer Andy Purdy to learn more about its US operations and how governments and businesses can better mitigate risk.
What does your role as Chief Security Officer at Huawei USA entail?
My role of CSO means I’m responsible for cybersecurity and privacy activities in the U.S. I chair the Huawei USA Cyber Security and User Privacy Committee, which consists of representatives from different business groups and departments, to help make sure that we understand and fully comply with the requirements of cybersecurity and privacy and that we can protect our customers and protect Huawei, with a particular focus on how we request and access customer networks and customer data.
This committee serves a cyber/privacy risk management compliance function and aims to help develop the evolving requirements. We want to make sure we abide by the law and regulations in the U.S., and that we meet unique customer requirements and needs. This involves our carrier business, enterprise business and consumer device business. The committee also works very closely with our government relations and public relations team in terms of messaging and understanding specific requirements.
Do you think that your previous experience working for the US government has helped prepare you for your current position and if so, how?
I am very familiar with the statutory and regulatory framework in the U.S. for cyber security and privacy, as well as the risk-based approach that is recommended by USG, individual agencies, and the public-private partnership and of the FCC federal advisory group for communications (CSRIC – Cyber Security, Reliability and Resilience Committee). An effective and transparent, risk-based approach is necessary to ensure assurance and transparency in the telecommunications industry in the U.S. and globally, not just the requirements of an equipment vendor, like Huawei, supplying the telecom operators in the U.S.
How can governments better mitigate risk when it comes to security?
Cybersecurity is not a one-person job. Connected networks touch every member of the communications supply chain. The government can help encourage collaboration between the public and private sector to develop and strengthen applicable standards and recommended best practices, including the value of using a risk-analytics tool such as the NIST Cyber Security Framework (CSF) to set requirements and assess risk. This helps to determine the applicable risk profile of an organization, informed by their business objectives and risk environment, and inform decision-making and a path toward achieving a more appropriate risk profile.
In this regard the government can promote understanding of the shared responsibility of the telecom operators and the equipment vendors in assessing and managing risk and promoting resilience – all in a transparent manner. A comprehensive approach is necessary given the capabilities of malicious actors in cyberspace and the vulnerabilities of networks and systems. Accordingly, the testing of only one company’s products obviously does not constitute the comprehensive approach necessary to manage cybersecurity risk, and it does little, if anything, to contribute to the development of a universal framework or set of internationally recognized standards and processes for network risk management or independently confirmed assurance and conformance to applicable standards and best practices.
In this regard, governments can work to promote an assurance framework that enables and requires mechanisms to provide objective and transparent assurance as to which products are currently worthy of trust. In short, we need an assurance framework and mechanisms to enable “trust through verification” – in which everyone is subject to the same standards and other requirements.
Why do you think that it is important for companies to have their code evaluated by third parties?
Independent testing of products and software is an essential part of an effective and transparent assurance framework that should be applicable to telecom operators, equipment vendors, and other third-party providers. Given the level of risk to information and communications networks, it is important to have third-party organizations evaluate and confirm the security of products and the conduct of providers across the ecosystem, so that users and governments have an objective and transparent basis for knowing what products are trustworthy.
Security assurance frameworks, steeped in internationally recognized standards and independent conformance programs, help to protect governments, businesses, and consumers from risks across the board and promote the resilience of our communications networks and systems. These frameworks can provide continuing input to update requirements as the threat landscape evolves.
In your opinion, what are the biggest cybersecurity threats faced by businesses today, and are there any emerging threats that you think could pose a serious risk in the future?
The biggest threats are national security threats designed to steal intellectual property and enable hostile nation states to shut down key networks and systems essential to the proper functioning of government and critical infrastructure. Ransomware attacks highlight the importance to government and private organizations of available and accurate information on which the proper functioning of business and government depend. Key data must be protected in secure and accurate form, as well as backed up frequently to ensure it can be promptly recovered to restore key services.
Do you think that AI will soon play a greater role in cybersecurity?
Enhanced computer analysis enabled by big data and AI will help in the early and accurate detection of vulnerabilities and concerning activity. It will prompt a response to that detection, helping to minimize risk, reduce the potential consequences of hostile penetration, and promote resilience of networks and systems. It also hoped that AI will make it easier to predict, detect, alert, and mitigate concerning activities well before the penetration of perimeters, including the identification of bots and botnets and help with attribution and blocking of attacks and concerning activities.