By John Suffolk - 16th July 2012
Cyber security is more than policies and procedures; it’s also about understanding risk and reward
Europe can play an important role in cyber security and help raise the standards for everybody, says John Suffolk.
I'm passionate about technology and how new developments can fundamentally change people’s lives. But one thing which can hold back progress is the challenge of cybersecurity and the daily threats we all face. After working for five years as the British government's chief information officer in charge of technology security, I was looking for a role where I could meet this challenge head on. That role was global cyber security officer at Huawei, China’s most successful private company and one of the world’s largest technology companies.
Huawei serves a third of the planet’s population; we operate in 150 countries, we’re used by 45 of the world’s top 50 operators and 500 operators overall. Last year alone, we had at least 1.5 billion people using wireless technology coming from Huawei. With such a global reach comes great responsibility. If you’re passionate about getting things right for your customers, you have to be passionate about cyber security.
For us, cyber security is a customer-centric approach. It’s not about internal or external policy, it’s about whatever we touch; it’s about our suppliers, it’s about our people and everything we do. Our global cyber security policy focuses on end-to-end, top-to-bottom accountability; from our CEO to the most distant point of Huawei. The success of this approach hinges on traceability, the cornerstone of any good cyber security policy.
When we set out to create a new requirement for a client, we need to trace the whole process from the computer code generated to what equipment the client ends up using. We need to be able to go forwards and backwards along the processes, checking every step of the way should a problem arise.
Traceability not only allows us to follow internal processes and systems, but it also allows us to construct segregation of duty. This means that, by clearly defining roles along the development and production chain and keeping them separate from each other, we can assign accountability and know exactly where a process was executed and by whom.
At Huawei, we are a standards and process-based organisation. You can’t get consistency in your output if you don’t have a consistent process. That’s why IBM has been designing all the Huawei processes with us since 1997. In every one of those processes, cyber security has been built in. We have not bolted anything on; we’ve changed the DNA of the way we work at Huawei by ‘building in’ from the start of every one of our processes, detailing what can be done and, importantly, what must not be done. Cyber security is more than policies and procedures; it’s also about understanding risk and reward, and having response mechanisms and problem disclosure – all factored into an end-to-end perspective. Of course, when it comes to providing this for clients, not everyone is the same. Concerns about cyber security are very different in every part of the world. Not everyone is comfortable having Huawei handling their sensitive data. When we first moved into the United Kingdom about ten years ago, the UK government had to come up with a model to allow that to happen. The UK is very open about allowing businesses in but of course it has to manage risk. How Huawei managed this, in tandem with UK operators, was to establish a cyber security evaluation centre (CSEC). Our software, hardware and source code were all rigorously tested there; we had no say on the inspection methods, no say on the tools they used and, at the end, all we got was the final report of the things they found and what they wanted us to fix.
We welcomed that feedback, even the investigation into our source code, which surprised them. The more we’re inspected, the more things we find so we can improve our processes and products. This means we’re more efficient and our customers get better products at a lower price. So for us, this is very important as it’s driven much of Huawei’s success. The UK model, where everything is independently tested at the CSEC, is attractive to some governments and we’re looking to open another centre in the future, perhaps on the continent, which is and has always been a key region for Huawei. From a cyber security perspective, we think Europe can play a very important role. Many of the data laws around the world are modelled on the European data protection act. It’s almost certain that, if we come out with standards in Europe, many other countries would follow suit. If Huawei then builds these into our basic processes and systems, this would help us raise the standards for everybody. But not everyone is ready for this. A common concern among governments is that they don’t want data crossing their borders. This is not just a Huawei issue, it’s a general concern that clients want to know what you’re doing with their data. We understand this problem, so instead of using remote support, we introduce more support people in that country. If they’re still cautious, then we encourage them to come and inspect us to see how we do all this. Our processes allow clients to check us every step of the way.
Do we make guarantees that we’re 100 per cent safe? Of course not. There’s no such thing as a 100 per cent guarantee. No one promises that. We work on the assumption that no one and nothing can be trusted and that you’re going to have a problem and you’re going to be breached – this is why independent validation, openness and transparency are so important. The problem is not so much about where the breach came from but how you can spot it, trace it, remediate it and inform people. This goes back to the end-to-end traceability which lies at the core of Huawei’s global cyber security policy.
John Suffolk is Huawei's global cyber security chief officer