If governments clarify security expectations, vendors will follow: Huawei

Governments concerned about increasingly high-profile cyber-attacks must look past individual suppliers and work with vendors to consider risk in the context of an increasingly global security supply chain, the head of IT security with network supplier Huawei has advised.

Citing the importance of public-private partnerships to evaluate and implement best practice around security protections, John Suffolk – Huawei’s global cyber security officer and a previous UK government CIO – said the sheer number and diversity of security solutions being pitched to a market terrified by the spectre of cyber-attack was creating strategic challenges for organisations that just want to protect their data.

Security requirements vary according to individual organisations’ policies and exposure, he said, which makes it difficult for potential customers to know exactly how security solutions fit together.

“I never specify what ‘good’ looks like from a security point of view,” Suffolk told CSO Australia after a presentation to audiences at this week’s CeBIT conference in Sydney. “It’s very hard to do because there’s a plethora of standards and best practice. Having policies about this is meaningless because you have hackers that know you haven’t patched your server, and they’re going to come through your front door.”

Despite rapid growth that last year made it the world’s second-largest supplier of network equipment, Huawei has struggled to counter growing perception that it is an instrument of the Chinese government, and that its products could compromise institutional security. The company was excluded from participation in Australia’s National Broadband Network (NBN) last year on security fears – and offered its source code for inspection as a peace gesture but last month disbanded its local NBN-related business unit.

Last month, Huawei turned its back on the US market after it and fellow Chinese equipment maker ZTE were blacklisted by US politicians and telecommunications carriers as well as concerned analysts.

Arguing that 70% of the components in Huawei equipment come from third parties, most of them overseas suppliers, Suffolk said efforts to boost security by mandating particular equipment were misplaced: “I don’t see that as a viable solution, because everyone’s components come from around the world,” he said. “People rely on free trade, and that’s what we should promote and protect.”

In the longer term, government organisations will need to continue working through their policies to develop what Suffolk called “a measured sense of requirement” that guides closer collaboration between those organisations and the private-sector suppliers upon which they rely.

This includes not only specifying security standards, policy and manufacturing requirements – for example, auditing a vendor’s vulnerability management process – but addressing broader issues around skills pathways, policies for boosting R&D investment, and so on. Australia’s dwindling base of IT security experts has been singled out as a significant threat facing the country and is forcing companies like security service provider Earthwave, is forcing many providers to look to import foreign nationals to meet security demand.

Such trends reflect the difficulties governments have in applying black-and-white policies to a field that is changing by the day – but Suffolk believes these policy vagaries can be worked through as governments and private firms lay down the terms of reference to work together towards common goals.

“Many governments are at different stages of maturity, so we shouldn’t be surprised to see them taking different decisions at different points in time,” he said.

“We clearly need to do more to protect ourselves from people that wish to do us harm from a cyber security perspective, and I think you’ll see quite a lot of alignment around the world. Industry and government can come together to rationalise that quite quickly, and we will see more clarity around what ‘good’ looks like – and most vendors will make the investments to ensure they conform to those standards.”

Join the CSO newsletter!

Error: Please check your email address.

Tags John SuffolkHuaweicyber attackssecuritynewsTelecommunications

More about CeBITCSOEarthwaveEarthwaveHuaweiZTE

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place